Filters events from the input array using the function provided in the array.
The order is maintained in the output array.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
array [a] | string | required | The array name in Falcon LogScale array syntax, for example for events with fields incidents[0], incidents[1], ... this would be incidents[] , as in array:filter(array="incidents[0]", ...) . | |
asArray | string | optional[b] | The output array. Defaults to the value passed to the array parameter. | |
function | Non-aggregate function | required | The function to use for filtering events in the array. | |
var | string | required | Name of the variable to be used in function argument. | |
[b] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:filter("value[]",var="value",function="value")
and:
logscalearray:filter(array="value[]",var="value",function="value")
These examples show basic structure only; full examples are provided below.
array:filter()
Examples
Given an array of three elements, retrieve those where the address
starts with ba
:
logscale
mailto[0]=foo@example.com
mailto[1]=bar@example.com
mailto[2]=baz@example.com
Query function:
logscale
array:filter(array="mailto[]", var="addr", function={addr=ba*@example.com}, asArray="out[]")
Expected output:
logscale
out[0]=bar@example.com
out[1]=baz@example.com