Array Query Functions
LogScale's array functions allow you to extract, create and
manipulate items embedded in arrays, or to interpret arrays and nested
arrays within events. In the Array Query Functions
table, functions marked with array
can be used with a
flat array. Functions marked nested-array
are designed
for working with structured arrays.
Arrays can be parsed from incoming events using the
splitString()
or parseJson()
functions.
For information on using arrays, see Array Syntax.
Table: Array Query Functions
Function | Type | Default Argument | Availability | Description |
---|---|---|---|---|
array:append(array, values) | array, data-manipulation | array | Appends single or multiple values to an array, or creates a new array if it does not already exist. | |
array:contains(array, value) | array, data-manipulation, filter | array | Checks whether the given value matches any of the values of the array and excludes the event if no value matches. | |
array:dedup(array (or unnamed), [asArray]) | array, data-manipulation | array | introduced in 1.169.0 |
array:dedup() removes duplicate elements from
an array. The ordering of the first occurrence of each unique
element is preserved.
|
array:drop(array) | array | array | Takes the name of an array and drops all fields of this array. | |
array:eval(array, [asArray], function, [var]) | array | array | Evaluates the function argument on all values in the array under the array argument overwriting the array. | |
array:filter(array, [asArray], function, var) | array, data-manipulation, filter | array | Drops entries from the input array using the given filtering function. | |
array:intersection(array, [as]) | aggregate, array | array | Determines the set intersection of array values over input events. | |
array:length(array, [as]) | array, array-length | array | Counts the number of elements in an array. | |
array:reduceAll(array, function, var) | aggregate, array, data-manipulation | array | Computes a value from all events and array elements of the specified array. | |
array:reduceColumn(array, [as], function, var) | aggregate, array, data-manipulation | array | Computes an aggregate value for each array element with the same index. | |
array:reduceRow(array, [as], function, var) | array | array | Computes an aggregated value of an array on all events. | |
array:regex(array, [flags], regex) | array, filter, regular-expression | array | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result. | |
array:rename(array, asArray) | array, data-manipulation | array | Takes the name of an array and renames all fields of this array. | |
array:union(array, [as]) | aggregate, array, data-manipulation | array | Determines the set union of array values over input events. | |
concatArray([as], field, [from], [prefix], [separator], [suffix], [to]) | array, data-manipulation, string | field | Concatenates values of all fields with same name and an array suffix into a new field. | |
objectArray:eval(array, asArray, function, [var]) | array, nested-array | array | Maps over an array of objects and outputs a new array of the mapped values. | |
split([field], [strip]) | array, data-manipulation | field | Splits an event structure created by a JSON array into distinct events. | |
splitString([as], by, [field], [index]) | array, data-manipulation, regular-expression, string | field | Splits a string by specifying a regular expression by which to split. |
Using Array Query Functions
The following rules and recommendations apply to all the array query functions listed in the Array Query Functions table.
Array functions do not support non-consecutive items in an array.
For example, when manipulating the array:
logscale Syntaxfoo[0], foo[1], foo[3]
The function will only run against:
logscale Syntaxfoo[0], foo[1]
Array indexes start at zero; For example, foo[0].
When referring to the whole array, use foo[].
Arrays elements are identified using the array name with an [x] suffix.
For example, having the array:
logscale Syntaxfoo[0], foo[1]
Adding another field:
logscale Syntaxfoo[2]
Results in the array:
logscale Syntaxfoo[0],foo[1],foo[2]
With no missing entries, array functions will run against them all.
Field names that have special characters (such as colons) or spaces need to be enclosed in backtick quotes to be properly identified in array functions:
logscalearray:contains("log:errorcode[]", value=3)
If quotes are missing, those fields are not recognized as valid array arguments and an error message is shown in the Query Editor.