Available:objectArray:exists()
v1.175.0
The objectArray:exists() function is
available from version 1.175.0.
The function filters events based on array contents. It checks if an array contains at least one element that meets a specified condition.
objectArray:exists() is useful when
array:contains() is not flexible enough,
for example, when users want to compare the elements of the
array to the values of other fields, or when they want to use
query functions in the condition.
Although objectArray:exists() can be used
on both flat arrays and structured arrays, for best performance,
LogScale recommends using
objectArray:exists() only for nested arrays
(for example JSON structures). For flat arrays, the
array:exists() function is a recommended
equivalent. For a list of functions that can be used on flat
arrays, see Array Query Functions.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
array[a] | string | required | Name of the array in which to search for matching elements. Must follow valid Array Syntax for arrays. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
condition | non-aggregate pipeline | required | A non-aggregate pipeline. If an event passes through the pipeline, the event is included, otherwise it is excluded. | |
var | string | optional[b] | input array name. | Name of the variable to be used in the condition argument. |
[b] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscale SyntaxobjectArray:exists("value",condition=)and:
logscale SyntaxobjectArray:exists(array="value",condition=)These examples show basic structure only.
Note that for nested arrays, the
objectArray:exists() function must be used
instead of the array:exists() function.
objectArray:exists() Examples
Click next to an example below to get the full details.
Check For Existence of Simple Values in Nested Array Using objectArray:exists()
Check for the existence of simple values in nested array using
objectArray:exists() function with
array:exists() as filter function
Query
kvparse()
| objectArray:exists(
array="a[]",
condition=array:exists(array="a.field.b[]", var=x, condition=test(x==2)))Introduction
In this example, the objectArray:exists()
function is used with the
condition argument and
array:exists() function to check if given
values are in the array.
The objectArray:exist() part
handles the structured part of the example, whereas the
array:exists() is used within the condition to loop
through the nested array. In a nested array, the outermost call must be
objectArray:exists(), the inner one could in theory
be either function, but LogScale recommends using
array:exists().
Example incoming data might look like this:
| a[0].field.b[0] | a[0].field.b[1] | a[1].field.b[0] | a[2].field.b[0] |
|---|---|---|---|
| 1 | <no value> | <no value> | <no value> |
| 1 | 2 | <no value> | <no value> |
| <no value> | <no value> | 3 | <no value> |
| 1 | 2 | 3 | 4 |
Step-by-Step
Starting with the source repository events.
- logscale
kvparse()Parses the string into key value pairs.
- logscale
| objectArray:exists( array="a[]", condition=array:exists(array="a.field.b[]", var=x, condition=test(x==2)))Filters for elements in the array a[] that meet the given condition, then checks if there exists a value in the a.field.b[] array that equals
2. Event Result set.
Summary and Results
The query is used to test for the existence of simple values in nested arrays. The query outputs the events that passed the filtering condition.
Sample output from the incoming example data:
| a[0].field.b[0] | a[0].field.b[1] | a[1].field.b[0] | a[2].field.b[0] |
|---|---|---|---|
| 1 | 2 | <no value> | <no value> |
| 1 | 2 | 3 | 4 |