Array Query Functions
LogScale's array functions allow you to extract, create and manipulate
items embedded in arrays, or to interpret arrays and nested arrays within
events. In the table below, functions marked with array
can be used on any array field. Functions marked
nested-array are designed for working with more complex
nested arrays.
For information on using arrays, see Array Syntax.
Table: Array Query Functions
| Function | Type | Default Argument | Availability | Description |
|---|---|---|---|---|
array:append(array, value) | array, data-manipulation, filter | array | Appends single or multiple values to an array, or creates a new array if it does not already exist. | |
array:contains(array, value) | array, data-manipulation, filter | array | Checks whether the given value matches any of the values of the array and excludes the event if no value matches | |
array:drop(array) | array, filter | array | introduced in 1.159.0 | Takes the name of an array and drops all fields of this array. |
array:eval(array, [asArray], function, [var]) | array | array | Evaluates the function argument on all values in the array under the array argument overwriting the array | |
array:filter(array, [asArray], function, var) | array, data-manipulation, filter | array | Drops entries from the input array using the given filtering function. | |
array:intersection(array, [as]) | aggregate, array | array | Determines the set intersection of array values over input events | |
array:length(array, [as]) | array, array-length | array | Counts the number of elements in an array. | |
array:reduceAll(array, function, var) | aggregate, array, data-manipulation | array | Computes a value from all events and array elements of the specified array. | |
array:reduceColumn(array, [as], function, var) | aggregate, array, data-manipulation | array | Computes an aggregate value for each array element with the same index. | |
array:reduceRow(array, [as], function, var) | array | array | Computes an aggregated value of an array on all events. | |
array:regex(array, [flags], regex) | array, filter, regular-expression | array | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result | |
array:rename(array, asArray) | array, data-manipulation | array | introduced in 1.160.0 | Takes the name of an array and renames all fields of this array. |
array:union(array, [as]) | aggregate, array, data-manipulation | array | Determines the set union of array values over input events. | |
concatArray([as], field, [from], [prefix], [separator], [suffix], [to]) | array, data-manipulation, string | field | Concatenates values of all fields with same name and an array suffix into a new field. | |
objectArray:eval(array, asArray, function, [var]) | array, nested-array | array | introduced in 1.155.0 | Maps over an array of objects and outputs a new array of the mapped values |
split([field], [strip]) | array, data-manipulation, regular-expression, string | field | Splits an event structure created by a JSON array into distinct events. | |
splitString([as], by, [field], [index]) | array, data-manipulation, string | field | Splits a string by specifying a regular expression by which to split. |
Using Array Query Functions
The following rules and recommendations apply to all the array query functions listed above.
Array functions do not support non-consecutive items in an array.
For example, when manipulating the array:
logscalefoo[0], foo[1], foo[3]The function will only run against:
logscalefoo[0], foo[1]Array indexes start at zero; For example, foo[0].
When rereferring to the whole array, use foo[].
Arrays elements are identified using the array name with an [x] suffix.
For example, having the array:
logscalefoo[0], foo[1]Adding another field:
logscalefoo[2]Would result in the array:
logscalefoo[0],foo[1],foo[2]With no missing entries, array functions will run against them all.
Field names that have special characters (such as colons) or spaces need to be enclosed in backtick quotes to be properly identified in array functions:
logscalearray:contains("log:errorcode[]", value=3)If quotes are missing, those fields are not recognized as valid array arguments and an error message is shown in the Query Editor.
You cannot use nested arrays. For example, if you have foo[] in which each element is a bar[] you cannot give the argument:
logscalefoo[1].bar[3]