This query function checks whether the given value matches any of the values of the array and excludes the event from the search result if it does not match on any value.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array | string | true | A string in the format of a valid array followed by []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. E.g., for events with fields incidents[0], incidents[1], ... this would be "incidents[]". [a] | |
value | string | true | The exact value of the array to search for. | |
[a] When you provide only one parameter, the implied parameter is | ||||
A specific syntax applies for this query function, see Array Syntax for details.
Examples
Given events containing an incidents array:
Event 1
logscale
|--------------|-------------|
| host | v1 |
| incidents[0] | Evil Bear |
| incidents[1] | Cozy Bear |
|--------------|-------------|Event 2
logscale
|--------------|-------------|
| host | v15 |
| incidents[0] | Fancy Fly |
| incidents[1] | Tiny Cat |
| incidents[2] | Cozy Bears |
|--------------|-------------|
Find all the events where incidents contains the
exact value Cozy Bear and group
them by which hosts were affected, giving output event
logscale
|--------------|-------------|
| host | v1 |
| _count | 1 |
|--------------|-------------|logscale
array:contains("incidents[]", value="Cozy Bear") |
groupBy(host)