Checks whether the given value matches any of the values of the array and excludes the event from the search result if it does not match any value.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array[a] | string | required | A string in the format of a valid array followed by []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. E.g., for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
value | string | required | The exact value of the array to search for. | |
[a] The argument name | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscalearray:contains("value[]",value="value")and:
logscalearray:contains(array="value[]",value="value")These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale!array:contains()Or:
logscalenot array:contains()For more information, see Negating the Result of Filter Functions.
A specific syntax applies for this query function, see Array Syntax for details.
array:contains() Examples
Aggregating Array Content
array:contains("incidents[]", value="Cozy Bear")
| groupBy(host)
Given events containing an incidents array:
Event 1
|--------------|-------------|
| host | v1 |
| incidents[0] | Evil Bear |
| incidents[1] | Cozy Bear |
|--------------|-------------|Event 2
|--------------|-------------|
| host | v15 |
| incidents[0] | Fancy Fly |
| incidents[1] | Tiny Cat |
| incidents[2] | Cozy Bears |
|--------------|-------------|
Find all the events where the field
incidents contains the
exact value Cozy Bear and group them by which hosts
were affected, giving output event:
Starting with the source repository events
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
Extract elements from the array incidents from the field host that match the text
Cozy Bear. The items will be output into the host field.logscalearray:contains("incidents[]", value="Cozy Bear") - flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
Group the result events extracted from the array by the host.
logscale| groupBy(host) Event Result set
The result is an aggregated count of the array elements matching
Cozy Bear.
| field | value |
|---|---|
| host | v1 |
| _count | 1 |