This query function checks whether the given value matches any of the values of the array and excludes the event from the search result if it does not match on any value.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array | string | true | A string in the format of a valid array followed by []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. E.g., for events with fields incidents[0], incidents[1], ... this would be incidents[]. [a] | |
value | string | true | The exact value of the array to search for. | |
[a] If an argument name is not given, | ||||
A specific syntax applies for this query function, see Array Syntax for details.
array:contains() Examples
Aggregating Array Content
Query
array:contains("incidents[]", value="Cozy Bear")
| groupBy(host)Introduction
Given events containing an
incidents
array:
Event 1
|--------------|-------------|
| host | v1 |
| incidents[0] | Evil Bear |
| incidents[1] | Cozy Bear |
|--------------|-------------|Event 2
|--------------|-------------|
| host | v15 |
| incidents[0] | Fancy Fly |
| incidents[1] | Tiny Cat |
| incidents[2] | Cozy Bears |
|--------------|-------------|
Find all the events where the field
incidents contains the
exact value
Cozy Bear
and group them by which hosts were affected, giving output
event:
Step-by-Step
Extract elements from the array incidents from the field host that match the text
Cozy Bear. The items will be output into the host field.logscalearray:contains("incidents[]", value="Cozy Bear")Group the result events extracted from the array by the host.
logscale| groupBy(host)
Summary and Results
The result is an aggregated count of the array elements matching
Cozy Bear.
|--------------|-------------|
| host | v1 |
| _count | 1 |
|--------------|-------------|