Available:array:exists() v1.175.0

The array:exists() function is available from version 1.175.0.

The function filters events based on array contents. It checks if an array contains at least one element that meets a specified condition.

The array:exists() function is useful when array:contains() is not flexible enough, for example, when users want to compare the elements of the array to the values of other fields or when they want to use query functions in the condition.

Note

It is recommended to use the array:contains() function to check for simple values. See array:contains().

ParameterTypeRequiredDefault ValueDescription
array[a]stringrequired   Name of the array in which to search for matching elements. Must follow valid Array Syntax for array of scalars. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[].
conditionnon-aggregate pipelinerequired   A non-aggregate pipeline. If an event passes through the pipeline, the event is included, otherwise it is excluded.
varstringoptional[b] input array name. Name of the variable to be used in the condition argument.

[a] The parameter name array can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

The array:exists() function can use other filter functions, such as in() or if(), or pipelines.

Note that for structured arrays, the objectArray:exists() function must be used instead of the array:exists() function. For more information, see objectArray:exists(). For a complete list of functions for flat arrays, see Array Query Functions.

Click + next to an example below to get the full details.

Check For Existence of Element Contained in Given List of Values

Check for the existence of an element contained in a given list of simple values in a flat array using array:exists() function with in()

Query
logscale
kvparse()
| array:exists(array="a[]", condition=in(a, values=[3, 4]))
Introduction

In this example, the array:exists() function is used with the condition argument and the filter function in() to check if given values are in the array.

Example incoming data might look like this:

a[0]a[1]
12
13
14
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    kvparse()

    Parses the string into key value pairs.

  3. logscale
    | array:exists(array="a[]", condition=in(a, values=[3, 4]))

    Filters for events where the a[] array contains the values 3 or 4.

  4. Event Result set.

Summary and Results

The query is used to check for the existence of simple values in a flat array.

Sample output from the incoming example data: 

"a[0]","a[1]"
"1","3"
"1","4"

Check For Existence of Element Larger Than Given Number

Check for the existence of an element larger than a given number in a flat array using array:exists() function

Query
logscale
kvparse()
| array:exists(array="a[]", condition={a>2})
Introduction

In this example, the array:exists() function is used with the condition argument to check if a given value is in the array.

Note

It is recommended to use the array:contains() function to check for simple values. See array:contains().

Example incoming data might look like this:

a[0]a[1]
12
13
14
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    kvparse()

    Parses the string into key value pairs.

  3. logscale
    | array:exists(array="a[]", condition={a>2})

    Filters for events where the a[] array contains a value greater than 2.

  4. Event Result set.

Summary and Results

The query is used to check for the existence of simple values in a flat array.

Sample output from the incoming example data:

a[0]a[1]
13
14

Check For Existence of Element Using Complex Conditions

Check for the existence of elements using complex conditions in flat array using array:exists() function with in() and if()

Query
logscale
kvparse()
| array:exists(
array="a[]",
condition=if(in(a, values=[2,5]), then=true, else=in(a, values=[3, 6]))
Introduction

In this example, the array:exists() function is used with the condition argument and if() function along with the in() function to check if given values are in the array.

The example demonstrates how to use the () function along with the () function to create a logical OR-like condition in the expression language. It allows for more complex filtering logic, when a direct logical OR operator is not available.

Example incoming data might look like this:

a[0]a[1]
12
13
14
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    kvparse()

    Parses the string into key value pairs.

  3. logscale
    | array:exists(
array="a[]",
condition=if(in(a, values=[2,5]), then=true, else=in(a, values=[3, 6]))

    Filters for events where the a[] array contains the values 2 or 5. If not containing these values, it filters for events where the a[] array contains the values 3 or 6.

  4. Event Result set.

Summary and Results

The query is used to check for the existence of simple values in nested arrays.

Sample output from the incoming example data:

a[0]a[1]
12
13

Check For Existence of Elements Using Filtering Pipeline

Check for the existence of element in a flat array using the array:exists() function with a filtering pipeline

Query
logscale
kvparse()
| array:exists(
array="a[]",
var=x,
condition={ x=3 OR x=4 | test(x>=b) })
Introduction

In this example, the array:exists() function is used with the condition argument and test() function to check if given values are in the array.

Example incoming data might look like this:

a[0]a[1]b
124
134
143
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    kvparse()

    Parses the string into key value pairs.

  3. logscale
    | array:exists(
array="a[]",
var=x,
condition={ x=3 OR x=4 | test(x>=b) })

    Filters for events where the a[] array contains the values 3 or 4 and where x is greater than or equal to the value of the field b in the event.

  4. Event Result set.

Summary and Results

The query is used to compare array entries to both fixed values and field values. The query outputs the event that passed the filtering condition in the pipeline.

Sample output from the incoming example data:

a[0]a[1]b
143

Check For Existence of Simple Values in Nested Array Using objectArray:exists()

Check for the existence of simple values in nested array using objectArray:exists() function with array:exists() as filter function

Query
logscale
kvparse()
| objectArray:exists(
array="a[]",
condition=array:exists(array="a.field.b[]", var=x, condition=test(x==2)))
Introduction

In this example, the objectArray:exists() function is used with the condition argument and array:exists() function to check if given values are in the array.

The objectArray:exist() part handles the structured part of the example, whereas the array:exists() is used within the condition to loop through the nested array. In a nested array, the outermost call must be objectArray:exists(), the inner one could in theory be either function, but LogScale recommends using array:exists().

Example incoming data might look like this:

a[0].field.b[0]a[0].field.b[1]a[1].field.b[0]a[2].field.b[0]
1<no value><no value><no value>
12<no value><no value>
<no value><no value>3<no value>
1234

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    kvparse()

    Parses the string into key value pairs.

  3. logscale
    | objectArray:exists(
array="a[]",
condition=array:exists(array="a.field.b[]", var=x, condition=test(x==2)))

    Filters for elements in the array a[] that meet the given condition, then checks if there exists a value in the a.field.b[] array that equals 2.

  4. Event Result set.

Summary and Results

The query is used to test for the existence of simple values in nested arrays. The query outputs the events that passed the filtering condition.

Sample output from the incoming example data:

a[0].field.b[0]a[0].field.b[1]a[1].field.b[0]a[2].field.b[0]
12<no value><no value>
1234