Filters events from the input array using the function provided in the array.
The order is maintained in the output array.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array[a] | string | required | The array name in Falcon LogScale array syntax, for example for events with fields incidents[0], incidents[1], ... this would be incidents[], as in array:filter(array="incidents[0]", ...). | |
asArray | string | optional[b] | The output array. Defaults to the value passed to the array parameter. | |
function | Non-aggregate function | required | The function to use for filtering events in the array. | |
var | string | required | Name of the variable to be used in function argument. | |
[b] Optional parameters use their default value unless explicitly set | ||||
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscalearray:filter("value[]",var="value",function="value")and:
logscalearray:filter(array="value[]",var="value",function="value")These examples show basic structure only; full examples are provided below.
array:filter() Examples
Given an array of three elements, retrieve those where the address
starts with ba:
logscale
mailto[0]=foo@example.com
mailto[1]=bar@example.com
mailto[2]=baz@example.comQuery function:
logscale
array:filter(array="mailto[]", var="addr", function={addr=ba*@example.com}, asArray="out[]")Expected output:
logscale
out[0]=bar@example.com
out[1]=baz@example.com