Split an event structure created by json array into distinct events. When Humio ingests JSON arrays, each array entry is turned into a separate attributes named [0], [1], ... This function takes such an event and splits it into multiple events based on the prefix of such [N] attributes, allowing for aggregate functions across array values. It is not very efficient, so it should only be used after some aggressive filtering.

ParameterTypeRequiredDefaultDescription
fieldstringfalse_eventsField to split by.
stripbooleanfalsefalseStrip the field prefix when splitting (default is false).

Examples

In GitHub events, a PushEvent contains an array of commits, and each commit gets expanded into subattributes of payload.commit_0, payload.commit_1, .... Humio cannot sum/count, etc across such attributes. Split expands each PushEvent into one PushEvent for each commit so they can be counted.

humio
type=PushEvent | split(payload.commits) | groupby(payload.commits.author.email) | sort()