Important
This function is considered experimental and under active development and should not be used in production.
The function must be enabled using the feature flag ArrayFunctions. See Enabling & Disabling Feature Flags.
Determines the set union of array values over input events.
Used to compute the values that occur in any of the events supplied to this function. The output order of the values is not defined. If no arrays are found, the output is empty.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
array [a] | string | required | The prefix of the array in LogScale, for example for events with fields incidents[0], incidents[1], ... this would be incidents . | |
as | string | optional[b] | _union | The name of the output array. |
[b] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:union("value[]")
and:
logscalearray:union(array="value[]")
These examples show basic structure only; full examples are provided below.
array:union()
Examples
Given two events with the fields mailto and mailto, return the addresses present in any event with this array.
For example, with the following input events:
mailto[0]=foo@example.com
mailto[1]=bar@example.com
mailto[0]=bar@example.com
Use the following query function:
array:union(mailto, as=unique_mails)
The output result:
unique_mails[0]=bar@example.com
unique_mails[1]=foo@example.com