Learn more about the Cortex Query Language arraymerge()
function that returns an array created from a merge of the inner json-string arrays.
Syntax
arraymerge(<field>)
Description
The arraymerge()
function returns an array, which is created from a merge of the inner json-string arrays, including merging a number of arraymap() function arrays. This function accepts a single array of json-strings, which is the <field>
in the syntax.
Example 1
Returns a final array called result
that is created from a merge of the inner json-string arrays from array x
and array y
with the values ["a", "b", "c", "d"].
dataset = xdr_data | alter x= to_json_string(arraycreate("a","b")), y = to_json_string(arraycreate("c","d")) | alter xy = arraycreate(x,y) | alter xy=arraymerge(xy)
Example 2
Returns a final array that is created from a merge of the arraymap by extracting the IP address from the agent_interface_map field and the first IPV4 address found in the first element of the agent_interface_map
array. This example uses the to_json_string and json_extract_array functions to extract the desired information.
dataset = xdr_data | alter a = arraymerge (arraymap (agent_interface_map, to_json_string (json_extract_array (to_json_string("@element"), "$.ipv4") ) ) )