Aggregate Array Content

Query

logscale
array:contains("incidents[]", value="Cozy Bear")
| groupBy(host)

Introduction

Given events containing an incidents array:

Event 1

|--------------|-------------|
| host         | v1          |
| incidents[0] | Evil Bear   |
| incidents[1] | Cozy Bear   |
|--------------|-------------|

Event 2

|--------------|-------------|
| host         | v15         |
| incidents[0] | Fancy Fly   |
| incidents[1] | Tiny Cat    |
| incidents[2] | Cozy Bears  |
|--------------|-------------|

Finds all the events where the field incidents contains the exact value Cozy Bear and group them by which hosts were affected, giving output event:

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    array:contains("incidents[]", value="Cozy Bear")

    Extracts elements from the array incidents from the field host that match the text Cozy Bear. The items will be output into the host field.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupBy(host)

    Groups the result events extracted from the array by the host.

  4. Event Result set.

Summary and Results

The result is an aggregated count of the array elements matching Cozy Bear.

fieldvalue
hostv1
_count1