Appends single or multiple values to an array, or creates a new array if it does not already exist.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
array [a] | string | required | Name of the array to append values to. Must follow valid Array Syntax for array of scalars. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[] . | |
value | string | required | The list of expressions to be appended. | |
[a] The argument name |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:append("value[]",value="value")
and:
logscalearray:append(array="value[]",value="value")
These examples show basic structure only.
The syntax for array:append()
looks like this:
array:append(array=foo[], value=[<exp_1>, &ellipsis; <exp_n>])
where array:append()
is used to either append the
values of exp_1
to exp_n
at the end of the
foo[]
array, or create a new array of these values if the
array foo[]
is not present in the event. If one of the
expressions does not evaluate to a value, then that expression is skipped.
array:append()
requires that the input array has
continuous, sequential indexes with no gaps. If there are gaps (that is,
missing indexes), the function will start inserting new values at the
first missing index, potentially overwriting existing elements. For
example, having a missing index like in:
|-----------------|
|array[0] | foo |
|array[1] | bar |
|array[3] | baz |
|-----------------|
the query:
array:append(array[], values=["x", "y", "z"])
will produce the following output:
field | value |
---|---|
array[0] | foo |
array[1] | bar |
array[2] | x |
array[3] | y |
array[4] | z |
meaning that array[3] will be overwritten.
array:append()
Examples
Given an event with a field numbers as a string separated by commas, this can be split into an array and then the array extended with new values. For example, the event:
|-----------------------| | numbers | "1,2,3" | |-----------------------|
Could be expanded into an array using:
logscalecreateEvents(["numbers=\"1,2,3\""]) | kvParse() | splitString(field=numbers,by=",",as=numbarr) | array:append(array="numbarr[]", values=[4]) | select([numbers, numbarr[0], numbarr[1], numbarr[2], numbarr[3]])
Will produce:
numbarr[0] numbarr[1] numbarr[2] numbarr[3] 1 2 3 4 Create a
related.user[]
array that contains information about all user names seen on the event. User names should be normalized to lower case before appending to the array. The following query:logscalecreateEvents(["{\"source.user.name\": \"user_1\", \"destination.user.name\": \"USER_2\"}"]) | parseJson() | array:append(array="related.user[]", values=[lower(source.user.name), lower(destination.user.name)]) | select([source.user.name, destination.user.name, related.user[0], related.user[1]])
will produce:
source.user.name destination.user.name related.user[0] related.user[1] user_1 USER_2 user_1 user_2