Array Query Functions
LogScale's array functions allow you to extract, create and manipulate items embedded in arrays, or to interpret arrays, within events. For more information, see Array Syntax.
Table: Array Query Functions
Function | Default Argument | Availability | Description |
---|---|---|---|
array:contains(array, value) | array | Checks whether the given value matches any of the values of the array and excludes the event if no value matches | |
array:eval(array, [as], function, var) | array | Evaluates the function argument on all values in the array under the array argument overwriting the array | |
array:filter(array, function, var) | array | Drops entries from the input array using the given filtering function. | |
array:intersection(array, [as]) | array | Determines the set intersection of array values over input events | |
array:reduceColumn(array, [as], function, var) | array | Computes an aggregate value for each array element with the same index. | |
array:reduceRow(array, [as], function, var) | array | Computes an aggregated value of an array on all events. | |
array:regex(array, [flags], regex) | array | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result | |
array:union(array, [as]) | array | Determines the set union of array values over input events. | |
concatArray([as], field, [from], [prefix], [separator], [suffix], [to]) | field | Concatenates values of all fields with same name and an array suffix into a new field. | |
split([field], [strip]) | field | Splits an event structure created by a JSON array into distinct events. | |
splitString([as], by, [field], [index]) | field | Splits a string by specifying a regular expression by which to split. |
Common Recommendations for Array Query Functions
The following rules and recommendations apply to all the array query functions listed above.
Array functions do not support non-consecutive items in an array.
For example, when manipulating the array:
logscalefoo[0], foo[1], foo[3]
The function will only run against:
logscalefoo[0], foo[1]
Array indexes start at zero; For example, foo [0].
Arrays are identified using the array name with an [x] suffix.
For example, having the array:
logscalefoo[0], foo[1]
Adding another field:
logscalefoo[2]
Would result in the array:
logscalefoo[0],foo[1],foo[2]
With no missing entries, array functions will run against them all.
You cannot use nested arrays. For example, if you have foo[] in which each element is a bar[] you cannot give the argument:
logscalefoo[].bar[]