Array Query Functions
LogScale's array functions allow you to extract, create and manipulate items embedded in arrays, or to interpret arrays, within events. For more information, see Array Syntax.
Table: Array Query Functions
| Function | Default Argument | Availability | Description |
|---|---|---|---|
array:contains(array, value) | array | Checks whether the given value matches any of the values of the array and excludes the event if no value matches | |
array:eval(array, [as], function, var) | array | Evaluates the function argument on all values in the array under the array argument overwriting the array | |
array:filter(array, [asArray], function, var) | array | Drops entries from the input array using the given filtering function. | |
array:intersection(array, [as]) | array | Determines the set intersection of array values over input events | |
array:length(array, [as]) | array | Counts the number of elements in an array. | |
array:reduceAll(array, function, var) | array | Computes a value from all events and array elements of the specified array. | |
array:reduceColumn(array, [as], function, var) | array | Computes an aggregate value for each array element with the same index. | |
array:reduceRow(array, [as], function, var) | array | Computes an aggregated value of an array on all events. | |
array:regex(array, [flags], regex) | array | Checks whether the given pattern matches any of the values of the array and excludes the event from the search result | |
array:union(array, [as]) | array | Determines the set union of array values over input events. | |
concatArray([as], field, [from], [prefix], [separator], [suffix], [to]) | field | Concatenates values of all fields with same name and an array suffix into a new field. | |
split([field], [strip]) | field | Splits an event structure created by a JSON array into distinct events. | |
splitString([as], by, [field], [index]) | field | Splits a string by specifying a regular expression by which to split. |
Common Recommendations for Array Query Functions
The following rules and recommendations apply to all the array query functions listed above.
Array functions do not support non-consecutive items in an array.
For example, when manipulating the array:
logscalefoo[0], foo[1], foo[3]The function will only run against:
logscalefoo[0], foo[1]Array indexes start at zero; For example, foo [0].
Arrays are identified using the array name with an [x] suffix.
For example, having the array:
logscalefoo[0], foo[1]Adding another field:
logscalefoo[2]Would result in the array:
logscalefoo[0],foo[1],foo[2]With no missing entries, array functions will run against them all.
Field names that have special characters (such as colons) or spaces need to be enclosed in backtick quotes to be properly identified in array functions:
logscalearray:contains("`log:errorcode`[]", value=3)If quotes are missing, those fields are not recognized as valid array arguments and an error message is shown in the Query Editor.
You cannot use nested arrays. For example, if you have foo[] in which each element is a bar[] you cannot give the argument:
logscalefoo[].bar[]