A string in the format of a valid array followed by []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[].
Finds all the events where the field
incidents contains the exact
value Cozy Bear and group them by which
hosts were affected, giving output event:
Step-by-Step
Starting with the source repository events.
logscale
array:contains("incidents[]",value="Cozy Bear")
Extracts elements from the array
incidents from the field
host that match the text
Cozy Bear. The items will be
output into the host field.
logscale
|groupBy(host)
Groups the result events extracted from the array by the
host.
Event Result set.
Summary and Results
The result is an aggregated count of the array elements matching
Cozy Bear.
field
value
host
v1
_count
1
Check for Values in Array
Use array query filter array:contains() to check for a value in a flat array
Query
logscale
array:contains("incidents[]",value="Cozy Bear")
Introduction
In this example, the array:contains() function is
used to check if a given value exists in a given array.
Step-by-Step
Starting with the source repository events.
logscale
array:contains("incidents[]",value="Cozy Bear")
Checks if the value of Cozy Bear
exists within the incidents
array field. If the array contains the value, the whole event is
included in the search result.
Event Result set.
Summary and Results
The query is used as a filter to check if a given value exists in a
given array within the event set. If the given value does not match any
of the values of the array, then the event is excluded from the search
result. Arrays are used when ingesting security event logs where fields
may have more than one value. If the array contains other values along
with the specified value, these are also included in the search results.
