split() Query Function

Split an event structure created by json array into distinct events. When Humio ingests JSON arrays, each array entry is turned into a separate attributes named [0], [1], ... This function takes such an event and splits it into multiple events based on the prefix of such [N] attributes, allowing for aggregate functions across array values. It is not very efficient, so it should only be used after some aggressive filtering.

Parameters

Name

Type

Required

Default

Description

field

string

No

_events

Field to split by.

strip

boolean

No

false

Strip the field prefix when splitting (default is false).

The implied parameter is field.

Examples

In GitHub events, a PushEvent contains an array of commits, and each commit gets expanded into subattributes of payload.commit_0, payload.commit_1, .... Humio cannot sum/count, etc across such attributes. Split expands each PushEvent into one PushEvent for each commit so they can be counted.

humio
type=PushEvent | split(payload.commits) | groupby(payload.commits.author.email) | sort()