Filters events from the input array using the function provided in the array.
The order is maintained in the output array. The name of the output array cannot be the same as the input array.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array[a] | string | required | The array name in Falcon LogScale array syntax, for example for events with fields incidents[0], incidents[1], ... this would be incidents[], as in array:filter(array="incidents[0]", ...). | |
asArray | string | optional[b] | The output array. Defaults to the value passed to the array parameter. | |
function | Non-aggregate function | required | The function to use for filtering events in the array. | |
var | string | required | Name of the variable to be used in function argument. | |
[b] Optional parameters use their default value unless explicitly set | ||||
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscalearray:filter("value[]")and:
logscalearray:filter(array="value[]")
array:filter() Examples
Given an array of three elements, retrieve those where the address
starts with ba:
logscale
mailto[0]=foo@example.com
mailto[1]=bar@example.com
mailto[2]=baz@example.comQuery function:
logscale
array:filter(array="mailto[]", var="addr", function={addr=ba*@example.com}, asArray="out[]")Expected output:
logscale
out[0]=bar@example.com
out[1]=baz@example.com