Concatenates the values of all fields with the same name and an array
suffix into a value in a new field. Such array fields typically come as
output from either parseJson()
or
splitString()
.
All array fields starting with index from and ending with index to are selected. If some index is missing, the concatenation stops with the previous index, thus if only index 0, 1 and 3 are present, only index 0 and 1 are concatenated. If the first index is missing, no field is added to the event.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
as | string | optional[a] | _concatArray | Name of output field. |
field [b] | string | required | Base name for array fields to concatenate. | |
from | number | optional[a] | 0 | First array index to include [0..∞]. |
prefix | string | optional[a] | Prefix to prepend to the generated string. | |
separator | string | optional[a] | Separator between values. | |
suffix | string | optional[a] | Suffix to append to the generated string. | |
to | number | optional[a] | Last array index to include (leave out to get all). Must be equal to or larger than from . | |
[a] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscaleconcatArray("field")
and:
logscaleconcatArray(field="field")
These examples show basic structure only.
concatArray()
Examples
Concatenate Object Arrays Into Single Array
Query
"a[0].foo" := "a"
| "a[0].bar" := "b"
| "a[1].foo" := "c"
| "a[1].bar" := "d"
| objectArray:eval(array="a[]", asArray="output[]", var="x", function={output := x.bar})
| concatArray("output")
Introduction
The objectArray:eval()
function is a
structured array query function that follows normal array syntax.
The array syntax is similar to the one used by JSON, where
[
and ]
are used for
indexing and .
for selecting members in
objects. For more information, see Array Syntax.
The objectArray:eval()
function operates on
arrays of objects. In this example, the
objectArray:eval()
function is used to
extract one object from each element of an array of objects and
then uses concatArray()
to create a single
string of the values.
Example incoming data might look like this:
a[0].foo: a |
a[0].bar: b |
a[1].foo: c |
a[1].bar: d |
Step-by-Step
Starting with the source repository events
- logscale
"a[0].foo" := "a" | "a[0].bar" := "b" | "a[1].foo" := "c" | "a[1].bar" := "d"
- logscale
| objectArray:eval(array="a[]", asArray="output[]", var="x", function={output := x.bar})
Iterates (creates a loop) over the array
a[]
and adds the value of the object.bar
to a new arrayoutput[]
. This is achieved by executing an anonymous function, which sets the value ofoutput
to the iterated value ofx.bar
froma[]
.The
asArray
parameter is set to the output[] field, and then when we assign the value of x.bar to this output[] field. - logscale
| concatArray("output")
Concatenates the array values in the output array and returns the result in a new field named _concatArray.
Notice that the
concatArray()
function concatenates the elements of the supplied array and returns a string, containing the joined arrays. TheconcatArray()
method does not change the existing arrays. Event Result set
Summary and Results
The query is used to create a single value from compound arrays. This can be useful when you need to generate an identity field from a nested array, for example when summarizing data, or to create compound values from class definitions or IP addresses.
Sample output from the incoming example data:
a[0].foo | a[0].bar | a[1].foo | a[1].bar | output[0] | output[1] | _concatArray |
---|---|---|---|---|---|---|
a | b | c | d | b | d | bd |
Concatenate Values from Deeply Nested Array Elements - Example 3
Query
objectArray:eval(
"in[]",
asArray="out[]",
function={
objectArray:eval("in.others[]", asArray="tmp[]", function={tmp := "in.others.d"}
| out := concatArray(tmp)
}
)
Introduction
The objectArray:eval()
function is a
structured array query function that follows normal array
syntax. The array syntax is similar to the one used by JSON,
where [
and ]
are used for
indexing and .
for selecting members in
objects. For more information, see
Array Syntax. The
objectArray:eval()
function operates on
arrays of objects using a function that supports a special
pattern to access sub-selections of array entries.
The special pattern that allows the function to operate on arrays of objects, and arrays of arrays, and other arrays of structured data is: "in" (the input array) followed by:
.subselection
or
[number]
or any combination of the above. For example:
in.key,
in.others[0].foo
in[0][1]
Semantically, given the input array in
, an array
index i
, and an access in.subselection
this will be translated to the field name
in[i].
.
Similarly, subselection
in[2]
is translated to
in[i][2]
.
The objectArray:eval
function can be
combined with other array functions (or itself), in order to
support processing nested arrays.
In this example, the objectArray:eval()
function is used with itself to concatenate a deeply nested
arrays of objects values in the array in[]
and return the concatenated values in the output field
out[].
Example incoming data might look like this:
in[0].others[0].d: 1
in[0].others[1].d: 2
in[0].others[2].d: 3
in[1].others[0].d: 4
in[1].others[1].d: 5
in[1].others[2].d: 6
Step-by-Step
Starting with the source repository events
- logscale
objectArray:eval( "in[]", asArray="out[]", function={
Iterates over the array from start to end (or to the first empty index in the array, applies the given function, and returns the concatenated results in a new output array name field out[].
- logscale
objectArray:eval("in.others[]", asArray="tmp[]", function={tmp := "in.others.d"} | out := concatArray(tmp) } )
The nested
objectArray:eval()
performs the concatenation of the values within the nested array by calling theconcatArray()
function.Notice that in the nested call to
objectArray:eval()
, the given input array name is the nested array in.others[]. This works because it is translated to the field in[i].others[] by the parentobjectArray:eval()
current array indexi
.To return the concatenated array, the
asArray
parameter is set to the tmp[] field, and then when we assign the value of the concatenated value. Event Result set
Summary and Results
The query is used to concatenate deeply nested arrays of objects. The use of this function in this way is often useful when incoming ingested data has been defined in a nested structure, but needs to be displayed or summarized. For example, importing the properties or configuration values may result in a list of potential values for a given property. Concatenating the values together makes them easier to use as a summary value for display in a table or graph.
Sample output from the incoming example data:
out[0]: 123
out[1]: 456
Concatenate Values in Arrays into New Named Field - Example 2
Query
concatArray("email", as=servers)
Introduction
The concatArray()
method concatenates (joins)
two or more arrays and returns a new array, containing the joined
arrays. The concatArray()
method does not
change the existing arrays. For more information, see
Array Syntax. In this example, the
concatArray()
function concatenates the
values of all fields with the same name into a value in a new
defined field.
Example incoming data might look like this:
email[0] := "dopey"
email[1] := "sleepy"
email[2] := "doc"
email[3] := "happy"
email[4] := "sneezy"
Step-by-Step
Starting with the source repository events
- logscale
concatArray("email", as=servers)
Concatenates the values of fields email[0], email[1] and so on and returns the results in a field named servers.
Event Result set
Summary and Results
The query is used to concatenate (join) two or more arrays into a new array. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
email[0] | email[1] | email[2] | email[3] | email[4] | servers |
---|---|---|---|---|---|
dopey | sleepy | doc | happy | sneezy | dopeysleepydochappysneezy |
Concatenate Values in Arrays using Pipe Separation
Query
concatArray(server, separator=" | ")
Introduction
The concatArray()
method concatenates
(joins) two or more arrays and returns a new array, containing
the joined arrays. The concatArray()
method
does not change the existing arrays. For more information, see
Array Syntax. In this example, the
concatArray()
function concatenates the
values of all fields with the same name into pipe separated
values in a new field.
Example incoming data might look like this:
server[0] := "dopey"
server[1] := "sleepy"
server[2] := "doc"
server[3] := "happy"
server[4] := "sneezy"
Step-by-Step
Starting with the source repository events
- logscale
concatArray(server, separator=" | ")
Concatenates the values of fields server[0], server[1] and so on and returns the results in a new array with a field named _concatArray where the concatenated values are separated by a pipe.
Event Result set
Summary and Results
The query is used to concatenate (join) two or more arrays into a new array where the concatenated values are separated by a pipe. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
server[0] | server[1] | server[2] | server[3] | server[4] | _concatArray |
---|---|---|---|---|---|
dopey | sleepy | doc | happy | sneezy | dopey | sleepy | doc | happy | dopey |
Concatenate Values in Arrays with a Defined Prefix and Suffix
Query
concatArray(server, prefix="[", separator=",", suffix="]")
Introduction
The concatArray()
method concatenates (joins)
two or more arrays and returns a new array, containing the joined
arrays. The concatArray()
method does not
change the existing arrays. For more information, see
Array Syntax. In this example, the
concatArray()
function concatenates the
values of all fields with the same name and an array suffix into a
value in a new field, adding a prefix and a suffix to the
generated output result.
Example incoming data might look like this:
server[0] := "dopey"
server[1] := "sleepy"
server[2] := "doc"
server[3] := "happy"
server[4] := "sneezy"
Step-by-Step
Starting with the source repository events
- logscale
concatArray(server, prefix="[", separator=",", suffix="]")
Concatenates the values of fields server[0], server[1] and so on and returns the results as a string named _concatArray enclosed in square brackets, and separated by a comma, which is similar to the written array format.
Event Result set
Summary and Results
This can be useful to summarize or format a list of items for use in another part of the query.
Sample output from the incoming example data:
server[0] | server[1] | server[2] | server[3] | server[4] | _concatArray |
---|---|---|---|---|---|
dopey | sleepy | doc | happy | sneezy | [dopey,sleepy,doc,happy,dopey] |
Concatenate Values of All Fields with Same Name in an Array - Example 1
Query
concatArray(server)
Introduction
The concatArray()
function concatenates
(joins) two or more arrays and returns a new array, containing
the joined arrays. The concatArray()
method
does not change the existing arrays. For more information, see
Array Syntax. In this example, the
concatArray()
function concatenates the
values of all fields with the same name into a value in a new
field.
Example incoming data might look like this:
server[0] := "dopey" |
server[1] := "sleepy" |
server[2] := "doc" |
server[3] := "happy" |
server[4] := "sneezy" |
Step-by-Step
Starting with the source repository events
- logscale
concatArray(server)
Concatenates the values of fields server[0], server[1] and so on and returns the results in a new array with a field named _concatArray. If no field is defined, the aggregate function always creates a field name beginning with underscore for the returned values.
Event Result set
Summary and Results
The query is used to concatenate (join) two or more arrays into a new array. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
_concatArray: dopeysleepydochappysneezy |
---|
server [0] |
server [1] |
server [2] |
server [3] |
server [4] |
Concatenate a Range of Values in Arrays - Example 3
Query
concatArray(server, from=1, to=3)
Introduction
The concatArray()
method concatenates (joins)
two or more arrays and returns a new array, containing the joined
arrays. The concatArray()
method does not
change the existing arrays. For more information, see
Array Syntax. In this example, the
concatArray()
function concatenates the
values of all fields with the same name and index between 1 to 3
into a value in a new field.
Example incoming data might look like this:
server[0] := "dopey"
server[1] := "sleepy"
server[2] := "doc"
server[3] := "happy"
server[4] := "sneezy"
Step-by-Step
Starting with the source repository events
- logscale
concatArray(server, from=1, to=3)
Concatenates the values of fields server[1], server[2], and server[3], and returns the results in a new array with a field named _concatArray.
Event Result set
Summary and Results
The query is used to concatenate (join) two or more arrays into a new array. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
server[0] | server[1] | server[2] | server[3] | server[4] | _concatArray |
---|---|---|---|---|---|
dopey | sleepy | doc | happy | sneezy | sleepydochappy |