Aggregate Array Content
Query
logscale
array:contains("incidents[]", value="Cozy Bear")
| groupBy(host)
Introduction
Given events containing an incidents
array:
Event 1
|--------------|-------------|
| host | v1 |
| incidents[0] | Evil Bear |
| incidents[1] | Cozy Bear |
|--------------|-------------|
Event 2
|--------------|-------------|
| host | v15 |
| incidents[0] | Fancy Fly |
| incidents[1] | Tiny Cat |
| incidents[2] | Cozy Bears |
|--------------|-------------|
Finds all the events where the field
incidents contains the
exact value Cozy Bear
and group them by which hosts
were affected, giving output event:
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
array:contains("incidents[]", value="Cozy Bear")
Extracts elements from the array incidents from the field host that match the text
Cozy Bear
. The items will be output into the host field. - flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| groupBy(host)
Groups the result events extracted from the array by the host.
Event Result set.
Summary and Results
The result is an aggregated count of the array elements matching
Cozy Bear
.
field | value |
---|---|
host | v1 |
_count | 1 |