Check For Existence of Simple Values in Nested Array Using objectArray:exists()

Check for the existence of simple values in nested array using objectArray:exists() function with array:exists() as filter function

Query

logscale
kvparse()
| objectArray:exists(
array="a[]",
where=array:exists(array="a.field.b[]", var=x, condition=test(x==2)))

Introduction

The objectArray:exists() function can be used to check for the existence of an element satisfying a condition expressed as a pipeline in nested array.

In this example, the objectArray:exists() function is used with the condition argument and array:exists() function to check if given values are in the array.

The objectArray:exist() part handles the structured part of the example, whereas the array:exists() is used within the condition to loop through the nested array. In a nested array, the outermost call must be objectArray:exists(), the inner one could in theory be either function, but LogScale recommends using array:exists().

Example incoming data might look like this:

a[0].field.b[0]a[0].field.b[1]a[1].field.b[0]a[2].field.b[0]
1<no value><no value><no value>
12<no value><no value>
<no value><no value>3<no value>
1234

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    kvparse()

    Parses the string into key value pairs.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | objectArray:exists(
array="a[]",
where=array:exists(array="a.field.b[]", var=x, condition=test(x==2)))

    Filters for elements in the array a[] that meet the given condition, then checks if there exists a value in the a.field.b[] array that equals 2.

  4. Event Result set.

Summary and Results

The query is used to test for the existence of simple values in nested arrays. The query outputs the events that passed the filtering condition.

Sample output from the incoming example data:

a[0].field.b[0]a[0].field.b[1]a[1].field.b[0]a[2].field.b[0]
12<no value><no value>
1234