Abstract
Learn more about the Cortex Query Language arraymap()
function that applies a callable function to every element of an array.
Syntax
arraymap (<array>, <function()>)
Description
The arraymap()
function applies a specified function to every element of an array. For functions that require a fieldname, use "@element"
.
Examples
Extract the MAC address from the agent_interface_map
field. This example uses the json_extract_scalar, to_json_string, json_extract_array, and arraystring functions to extract the desired information.
dataset = xdr_data | alter mac = arraystring ( arraymap ( json_extract_array (to_json_string(agent_interface_map),"$."), json_extract_scalar ("@element", "$.mac") ), ",")