This query function checks whether the given value matches any of the values of the array and excludes the event from the search result if it does not match on any value.

Function Traits: Filter, Negatable

ParameterTypeRequiredDefaultDescription
array[a]stringrequired  A string in the format of a valid array followed by []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. E.g., for events with fields incidents[0], incidents[1], ... this would be incidents[].
valuestringrequired  The exact value of the array to search for.

[a] The argument name array can be omitted.

The parameter name for array can be omitted; the following forms are equivalent:

logscale
array:contains("value")

and:

logscale
array:contains(array="value")

A specific syntax applies for this query function, see Array Syntax for details.

Aggregating Array Content

Query
flowchart LR; repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result
logscale
array:contains("incidents[]", value="Cozy Bear")

| groupBy(host)
Introduction

Given events containing an incidents array:

Event 1

no-highlight
|--------------|-------------|
| host         | v1          |
| incidents[0] | Evil Bear   |
| incidents[1] | Cozy Bear   |
|--------------|-------------|

Event 2

no-highlight
|--------------|-------------|
| host         | v15         |
| incidents[0] | Fancy Fly   |
| incidents[1] | Tiny Cat    |
| incidents[2] | Cozy Bears  |
|--------------|-------------|

Find all the events where the field incidents contains the exact value Cozy Bear and group them by which hosts were affected, giving output event:

Step-by-Step

  1. Starting with the source repository events

  2. flowchart LR; repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Extract elements from the array incidents from the field host that match the text Cozy Bear. The items will be output into the host field.

    logscale
    array:contains("incidents[]", value="Cozy Bear")
  3. flowchart LR; repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;

    Group the result events extracted from the array by the host.

    logscale
    | groupBy(host)

  4. Event Result set

Summary and Results

The result is an aggregated count of the array elements matching Cozy Bear.

no-highlight
|--------------|-------------|
| host         | v1          |
| _count       | 1           |
|--------------|-------------|