Learn more about the Cortex Query Language arrayindexof() function that returns the index value of an array.
Syntax
arrayindexof(<array>, <condition>)
arrayindexof(<array>, "@element"<operator>"<array element>")
Note
The <operator> can be any of the ones supported, such as = and !=.
Description
The arrayindexof() function enables you to return a value related to an array in one of the following ways.
Returns 0 if a particular array is not empty and the specified condition is true. If the condition is not met, a NULL value is returned.
Returns the 0-based index of a particular array element if a particular array is not empty and the specified condition using an
@elementis true. If the condition is not met, a NULL value is returned.
Examples
Condition
Use the alter stage to assign a value returned by the arrayindexof function to a field called x. The arrayindexof function reviews the dfe_labels array and returns 0 if the array is not empty and the backtrace_identities array contains more than 1 element. Otherwise, a NULL value is assigned to the x field.
dataset in (xdr_data) | alter x = arrayindexof(dfe_labels , array_length(backtrace_identities) > 1) | fields x, dfe_labels | limit 100
@Element
When the dfe_labels array is not empty, use the alter stage to assign the 0-based index value returned by the arrayindexof function to a field called x. The arrayindexof function reviews the dfe_labels array and looks for the array element set to network. Otherwise, a NULL value is assigned to the x field.
dataset = xdr_data | filter dfe_labels != null | alter x = arrayindexof(dfe_labels , "@element" = "network") | fields x, dfe_labels | limit 100