Array Query Functions
LogScale's array functions allow you to extract, create and
manipulate items embedded in arrays, or to interpret arrays and nested
arrays within events. In the Array Query Functions
table, functions marked with array
can be used with a
flat array. Functions marked nested-array
are designed
for working with structured arrays.
For information on using arrays, see Array Syntax.
Table: Array Query Functions
Function | Type | Default Argument | Availability | Description |
---|---|---|---|---|
array:contains(array, value) | array, data-manipulation, filter | array | Checks whether the given value matches any of the values of the array and excludes the event if no value matches. | |
array:eval(array, [asArray], function, [var]) | array | array | Evaluates the function argument on all values in the array under the array argument overwriting the array. | |
array:filter(array, [asArray], function, var) | array, data-manipulation, filter | array | Drops entries from the input array using the given filtering function. | |
array:intersection(array, [as]) | aggregate, array | array | Determines the set intersection of array values over input events. | |
array:reduceAll(array, function, var) | aggregate, array, data-manipulation | array | Computes a value from all events and array elements of the specified array. | |
array:reduceColumn(array, [as], function, var) | aggregate, array, data-manipulation | array | Computes an aggregate value for each array element with the same index. | |
array:reduceRow(array, [as], function, var) | array | array | Computes an aggregated value of an array on all events. | |
array:regex(array, [flags], regex) | array, filter, regular-expression | array | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result. | |
array:union(array, [as]) | aggregate, array, data-manipulation | array | Determines the set union of array values over input events. | |
concatArray([as], field, [from], [prefix], [separator], [suffix], [to]) | array, data-manipulation, string | field | Concatenates values of all fields with same name and an array suffix into a new field. | |
split([field], [strip]) | array, data-manipulation | field | Splits an event structure created by a JSON array into distinct events. | |
splitString([as], by, [field], [index]) | array, data-manipulation, regular-expression, string | field | Splits a string by specifying a regular expression by which to split. |
Using Array Query Functions
The following rules and recommendations apply to all the array query functions listed in the Array Query Functions table.
Array functions do not support non-consecutive items in an array.
For example, when manipulating the array:
logscalefoo[0], foo[1], foo[3]
The function will only run against:
logscalefoo[0], foo[1]
Array indexes start at zero; For example, foo[0].
When rereferring to the whole array, use foo[].
Arrays elements are identified using the array name with an [x] suffix.
For example, having the array:
logscalefoo[0], foo[1]
Adding another field:
logscalefoo[2]
Results in the array:
logscalefoo[0],foo[1],foo[2]
With no missing entries, array functions will run against them all.
Field names that have special characters (such as colons) or spaces need to be enclosed in backtick quotes to be properly identified in array functions:
logscalearray:contains("log:errorcode[]", value=3)
If quotes are missing, those fields are not recognized as valid array arguments and an error message is shown in the Query Editor.