Concatenates the values of all fields with the same name and an
array suffix into a value in a new field. Such array fields
typically come as output from either
parseJson() or
splitString().
All array fields starting with index from and ending with index
to are selected. If some index is missing, the concatenation
stops with the previous index, thus if only index 0, 1 and 3 are
present, only index 0 and 1 are concatenated. If the first index
is missing, no field is added to the event.
In this example, the objectArray:eval()
function is used to extract one object from each element of an
array of objects and then uses
concatArray() to create a single string of
the values.
Iterates (creates a loop) over the array a[] and
adds the value of the object .bar to a new array
output[]. This is achieved by executing an
anonymous function, which sets the value of output
to the iterated value of x.bar from
a[].
The
asArray
parameter is set to the
output[] field, and
then when we assign the value of
x.bar to this
output[] field.
logscale
|concatArray("output")
Concatenates the array values in the
output array and
returns the result in a new field named
_concatArray.
Notice that the concatArray() function
concatenates the elements of the supplied array and returns a
string, containing the joined arrays. The
concatArray() method does not change the
existing arrays.
Event Result set.
Summary and Results
The query is used to create a single value from compound arrays.
This can be useful when you need to generate an identity field
from a nested array, for example when summarizing data, or to
create compound values from class definitions or IP addresses.
Sample output from the incoming example data:
a[0].foo
a[0].bar
a[1].foo
a[1].bar
output[0]
output[1]
_concatArray
a
b
c
d
b
d
bd
Concatenate Values From Deeply Nested Array Elements
Concatenate deeply nested objects and arrays using objectArray:eval() function with itself
In this example, the objectArray:eval()
function is used with itself to concatenate a deeply nested
arrays of objects values in the array
in[] and return the
concatenated values in the output field
out[].
Iterates over the array from start to end (or to the first
empty index in the array, applies the given function, and
returns the concatenated results in a new output array name
field out[].
The nested objectArray:eval() performs
the concatenation of the values within the nested array by
calling the concatArray() function.
Notice that in the nested call to
objectArray:eval(), the given input array
name is the nested array
in.others[]. This
works because it is translated to the field
in[i].others[] by the
parent objectArray:eval() current array
index i.
To return the concatenated array, the
asArray
parameter is set to the
tmp[] field, and then
when we assign the value of the concatenated value.
Event Result set.
Summary and Results
The query is used to concatenate deeply nested arrays of
objects. The use of this function in this way is often useful
when incoming ingested data has been defined in a nested
structure, but needs to be displayed or summarized. For example,
importing the properties or configuration values may result in a
list of potential values for a given property. Concatenating the
values together makes them easier to use as a summary value for
display in a table or graph.
Sample output from the incoming example data:
out[0]: 123
out[1]: 456
Concatenate Values in Arrays Into New Named Field
Concatenate values in flat arrays into new named field
Query
logscale
concatArray("email",as=servers)
Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name into a
value in a new defined field.
Concatenates the values of fields
email[0],
email[1] and so on and
returns the results in a field named
servers.
Event Result set.
Summary and Results
The query is used to concatenate (join) two or more arrays into
a new array. Concatenation is useful in programming and
computing because it allows you to store and combine multiple
pieces of data when needed.
Sample output from the incoming example data:
email[0]
email[1]
email[2]
email[3]
email[4]
servers
dopey
sleepy
doc
happy
sneezy
dopeysleepydochappysneezy
Concatenate Values in Arrays Using Pipe Separation
Concatenate values in flat arrays using pipe separation between the concatenated values
Query
logscale
concatArray(server, separator=" | ")
Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name into
pipe separated values in a new field.
Concatenates the values of fields
server[0],
server[1] and so on and
returns the results in a new array with a field named
_concatArray where the concatenated values
are separated by a pipe.
Event Result set.
Summary and Results
The query is used to concatenate (join) the elements of the
array into a new field where the concatenated values are
separated by a pipe. Concatenation is useful in programming and
computing because it allows you to store and combine multiple
pieces of data when needed.
Sample output from the incoming example data:
server[0]
server[1]
server[2]
server[3]
server[4]
_concatArray
dopey
sleepy
doc
happy
sneezy
dopey
dopey | sleepy | doc | happy | sneezy | dopey
Concatenate Values in Arrays With a Defined Prefix and Suffix
Concatenate values in flat arrays using prefix, suffix and separator
In this example, the concatArray() function
concatenates the values of all fields with the same name and an
array suffix into a value in a new field, adding a prefix and a
suffix to the generated output result.
Concatenates the values of fields
server[0],
server[1] and so on and
returns the results as a string named
_concatArray enclosed in square brackets,
and separated by a comma, which is similar to the written array
format.
Event Result set.
Summary and Results
This can be useful to summarize or format a list of items for
use in another part of the query.
Sample output from the incoming example data:
server[0]
server[1]
server[2]
server[3]
server[4]
_concatArray
dopey
sleepy
doc
happy
sneezy
[dopey,sleepy,doc,happy,dopey]
Concatenate Values of All Fields With Same Name in an Array
Concatenate values of all fields with same name in a flat array
Query
logscale
concatArray(server)
Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name into a
value in a new field.
Example incoming data might look like this:
Raw Events
server[0] := "dopey"
server[1] := "sleepy"
server[2] := "doc"
server[3] := "happy"
server[4] := "sneezy"
Step-by-Step
Starting with the source repository events.
logscale
concatArray(server)
Concatenates the values of fields
server[0],
server[1] and so on and
returns the results in a new array with a field named
_concatArray. If no field is defined, the
aggregate function always creates a field name beginning with
underscore for the returned values.
Event Result set.
Summary and Results
The query is used to concatenate (join) two or more arrays into
a new array. Concatenation is useful in programming and
computing because it allows you to store and combine multiple
pieces of data when needed.
Sample output from the incoming example data:
email[0]
email[1]
email[2]
email[3]
email[4]
_concatArray
dopey
sleepy
doc
happy
sneezy
dopeysleepydochappysneezy
Concatenate a Range of Values in Arrays
Concatenate values in flat arrays
Query
logscale
concatArray(server, from=1,to=3)
Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name and
index between 1 to 3 into a value in a new field.
Concatenates the values of fields
server[1],
server[2], and
server[3], and returns
the results in a new array with a field named
_concatArray.
Event Result set.
Summary and Results
The query is used to concatenate (join) two or more arrays into
a new array. Concatenation is useful in programming and
computing because it allows you to store and combine multiple
pieces of data when needed.