Appends single or multiple values to an array, or creates a new array if it does not already exist.

ParameterTypeRequiredDefaultDescription
array[a]stringrequired  Name of the array to append values to. Must follow valid Array Syntax for array of scalars. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[].
valuestringrequired  The list of expressions to be appended.

[a] The argument name array can be omitted.

Omitted Argument Names

The argument name for array can be omitted; the following forms of this function are equivalent:

logscale
array:append("value[]",value="value")

and:

logscale
array:append(array="value[]",value="value")

These examples show basic structure only; full examples are provided below.

The syntax for array:append() looks like this:

logscale
array:append(array=foo[], value=[<exp_1>, &ellipsis; <exp_n>])

where array:append() is used to either append the values of exp_1 to exp_n at the end of the foo[] array, or create a new array of these values if the array foo[] is not present in the event. If one of the expressions does not evaluate to a value, then that expression is skipped.

array:append() requires that the input array has continuous, sequential indexes with no gaps. If there are gaps (that is, missing indexes), the function will start inserting new values at the first missing index, potentially overwriting existing elements. For example, having a missing index like in:

|-----------------|
|array[0]  | foo  |
|array[1]  | bar  |
|array[3]  | baz  |
|-----------------|

the query:

logscale
array:append(array[], values=["x", "y", "z"])

will produce the following output:

fieldvalue
array[0]foo
array[1]bar
array[2]x
array[3]y
array[4]z

meaning that array[3] will be overwritten.

  • Given an event with a field numbers as a string separated by commas, this can be split into an array and then the array extended with new values. For example, the event:

    |-----------------------|
    | numbers   | "1,2,3"   |
    |-----------------------|

    Could be expanded into an array using:

    logscale
    createEvents(["numbers=\"1,2,3\""])
    | kvParse()
    | splitString(field=numbers,by=",",as=numbarr)
    | array:append(array="numbarr[]", values=[4])
    | select([numbers, numbarr[0], numbarr[1], numbarr[2], numbarr[3]])

    Will produce:

    numbarr[0]numbarr[1]numbarr[2]numbarr[3]
    1234
  • Create a related.user[] array that contains information about all user names seen on the event. User names should be normalized to lower case before appending to the array. The following query:

    logscale
    createEvents(["{\"source.user.name\": \"user_1\", \"destination.user.name\": \"USER_2\"}"])
    | parseJson()
    | array:append(array="related.user[]", values=[lower(source.user.name), lower(destination.user.name)])
    | select([source.user.name, destination.user.name, related.user[0], related.user[1]])

    will produce:

    source.user.namedestination.user.namerelated.user[0]related.user[1] 
    user_1USER_2user_1user_2