Abstract
Learn more about the Cortex Query Language array_all()
function.
Syntax
array_all(<array>, "@element"<operator>"<array element>")
Note
The <operator>
can be any of the ones supported, such as =
and !=
.
Description
The array_all()
function returns true
when all the elements in a particular array match the condition in the specified array element. Otherwise, the function returns false
.
Example
When the dfe_labels
array is not empty, use the alter stage to create a new column called x
that returns true when all the elements in the dfe_labels
array is equal to network
; otherwise, the function returns false
.
dataset = xdr_data | filter dfe_labels != null | alter x = array_all(dfe_labels , "@element" = "network") | fields x, dfe_labels | limit 100