Important
This function is considered experimental and under active development and should not be used in production.
The function must be enabled using the feature flag ArrayFunctions. See Enabling & Disabling Feature Flags.
Determines the set union of array values over input events.
Used to compute the values that occur in any of the events supplied to this function. The output order of the values is not defined. If no arrays are found, the output is empty.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
array[a] | string | required | The prefix of the array in LogScale, for example for events with fields incidents[0], incidents[1], ... this would be incidents. | |
as | string | optional[b] | _union | The name of the output array. |
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscalearray:union("value[]")and:
logscalearray:union(array="value[]")These examples show basic structure only.
array:union() Examples
Deduplicate Compound Field Data
Query
splitString(field=userAgent,by=" ",as=agents)
|array:filter(array="agents[]", function={bname=/\//}, var="bname")
|array:union(array=agents,as=browsers)
|transpose()
|drop(column)
|groupBy(row[1])Introduction
Deduplicating fields of information where there are multiple
occurrences of a value in a single field, maybe separated by a
single character can be achieved in a variety of ways. This
solution makes use of array:union(),
transpose() and
groupBy() to collate and aggregate the
information into the final list of values.
For example, when examining the humio and looking
for the browsers or user agents that have used your instance,
the UserAgent data will
contain the browser and toolkits used to support them, for
example:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
The actual names are the
Name/Version pairs showing
compatibility with different browser standards. Resolving this
into a simplified list requires splitting up the list,
simplifying (to remove duplicates), filtering, and then
summarizing the final list.
The process we need to follow is first extract the information into an array of values that we can then simplify and aggregate. It's possible the information in your raw data is already stored in an array of information that needs to be summarised.
Step-by-Step
Starting with the source repository events.
- logscale
splitString(field=userAgent,by=" ",as=agents)Splits up the userAgent field using a call to
splitString()and places the output into the array field agentsThis will create individual array entries into the agents array for each event:
agents[0]="Mozilla/5.0" agents[1]="(Macintosh;" agents[2]="Intel" agents[3]="Mac" agents[4]="OS" agents[5]="X" agents[6]="10_15_7)" agents[7]="AppleWebKit/537.36" agents[8]="(KHTML," agents[9]="like" agents[10]="Gecko)" agents[11]="Chrome/116.0.0.0" agents[12]="Safari/537.36" - logscale
|array:filter(array="agents[]", function={bname=/\//}, var="bname") - logscale
|array:union(array=agents,as=browsers)Using
array:union()we aggregate the list of user agents across all the events to create a list of unique entries. This will eliminate duplicates where the value of the user agent is the same value. - logscale
|transpose()Using the
transpose(), we transpose the rows and columns for the list of matching field field names and values, turning:browsers[0] browsers[1].browsers[2] Gecko/20100101 Safari/537.36 AppleWebKit/605.1.15 into:
column row[1] browsers[0] Gecko/20100101 browsers[1] Safari/537.36 browsers[2] AppleWebKit/605.1.15 - logscale
|drop(column)We do not need the column information, just the unique list of browsers in the row[1] column, so we drop the field from the event list.
- logscale
|groupBy(row[1])Now we can aggregate the list, by the remaining field row[1] to provide the unique list of potential values. This is not a count of the times each has occurred, but a unique list of all the different possible values. The resulting list looks like this:
Event Result set.
Summary and Results
The resulting output from the query is a summarized list of the unique possible values from the original source fields, even though the source information was originally contained within a single field in the source events.
| row[1] | _count |
|---|---|
| AppleWebKit/537.36 | 1 |
| AppleWebKit/605.1.15 | 1 |
| CFNetwork/1410.0.3 | 1 |
| Chrome/116.0.0.0 | 1 |
| Darwin/22.6.0 | 1 |
| Firefox/116.0 | 1 |
| Gecko/20100101 | 1 |
| Mobile/15E148 | 1 |
| Mozilla/5.0 | 1 |
| Safari/18615.3.12.11.2 | 1 |
| Safari/537.36 | 1 |
| Safari/604.1 | 1 |
| Safari/605.1.15 | 1 |
| Version/16.4 | 1 |
| Version/16.6 | 1 |
Deduplicate Compound Field Data With array:union() and split()
Query
splitString(field=userAgent,by=" ",as=agents)
|array:filter(array="agents[]", function={bname=/\//}, var="bname")
|array:union(array=agents,as=browsers)
split(browsers)Introduction
Deduplicating fields of information where there are multiple
occurences of a value in a single field, maybe seaprated by a
single character can be achieved in a variety of ways. This
solution uses array:union() and
split create a unique array and then split
the content out to a unique list.
For example, when examining the humio and looking
for the browsers or user agents that have used your instance,
the UserAgent data will
contain the browser and toolkits used to support them, for
example:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36
The actual names are the
Name/Version pairs showing
compatibility with different browser standards. Resolving this
into a simplified list requires splitting up the list,
simplifying (to remove duplicates), filtering, and then
summarizing the final list.
Step-by-Step
Starting with the source repository events.
- logscale
splitString(field=userAgent,by=" ",as=agents)First we split up the userAgent field using a call to
splitString()and place the output into the array field agentsThis will create individual array entries into the agents array for each event:
agents[0]="Mozilla/5.0" agents[1]="(Macintosh;" agents[2]="Intel" agents[3]="Mac" agents[4]="OS" agents[5]="X" agents[6]="10_15_7)" agents[7]="AppleWebKit/537.36" agents[8]="(KHTML," agents[9]="like" agents[10]="Gecko)" agents[11]="Chrome/116.0.0.0" agents[12]="Safari/537.36" - logscale
|array:filter(array="agents[]", function={bname=/\//}, var="bname") - logscale
|array:union(array=agents,as=browsers)Using
array:union()we aggregate the list of user agents across all the events to create a list of unique entries. This will eliminate duplicates where the value of the user agent is the same value.The event data now looks like this:
browsers[0] browsers[1] browsers[2] Gecko/20100101 Safari/537.36 AppleWebKit/605.1.15 An array of the individual values.
- logscale
split(browsers)Using the
split()will split the array into individual events, turning:browsers[0] browsers[1] browsers[2] Gecko/20100101 Safari/537.36 AppleWebKit/605.1.15 into:
_index row[1] 0 Gecko/20100101 1 Safari/537.36 2 AppleWebKit/605.1.15 Event Result set.
Summary and Results
The resulting output from the query is a list of events with each event containing a matching _index and browser. This can be useful if you want to perform further processing on a list of events rather than an array of values.
Find Union of Two Arrays
Find union of two flat arrays using the array:union() function
Query
array:union(mailto, as=unique_mails)Introduction
Arrays are handy when you want to work with multiple values of
the same data type. The array:union()
function is used to filter two arrays for a set of distinct
elements from both arrays. One important feature of UNION is,
that it removes duplicate rows from the combined data meaning if
there are repetitions, then only one element occurrence should
be in the union.
Example incoming data might look like this:
| mailto[0] | mailto[1] |
|---|---|
| foo@example.com | bar@example.com |
| bar@example.com |
Step-by-Step
Starting with the source repository events.
- logscale
array:union(mailto, as=unique_mails)Searches in the mailto array across multiple events and returns the union of element values in a new array, where the unique emails will appear only once. In this case creating a unique list of email addresses in a single array.
Event Result set.
Summary and Results
The query is used to search for and eliminate duplicates of e-mail addresses in arrays/combined datasets.
Sample output from the incoming example data:
| unique_mails[0] | unique_mails[1] |
|---|---|
| bar@example.com | foo@example.com |