Learn more about the Cortex Query Language arraymerge() function that returns an array created from a merge of the inner json-string arrays.
Syntax
arraymerge(<field>)
Description
The arraymerge() function returns an array, which is created from a merge of the inner json-string arrays, including merging a number of arraymap() function arrays. This function accepts a single array of json-strings, which is the <field> in the syntax.
Example 1
Returns a final array called result that is created from a merge of the inner json-string arrays from array x and array y with the values ["a", "b", "c", "d"].
dataset = xdr_data
| alter x= to_json_string(arraycreate("a","b")), y = to_json_string(arraycreate("c","d"))
| alter xy = arraycreate(x,y)
| alter xy=arraymerge(xy)Example 2
Returns a final array that is created from a merge of the arraymap by extracting the IP address from the agent_interface_map field and the first IPV4 address found in the first element of the agent_interface_map array. This example uses the to_json_string and json_extract_array functions to extract the desired information.
dataset = xdr_data
| alter a =
arraymerge (arraymap (agent_interface_map, to_json_string (json_extract_array (to_json_string("@element"), "$.ipv4") ) ) )