Searching array without using Index

We know that you would like to search for values inside arrays without having to specify an index, as the structure of the array can be dynamic and change in different log lines. So we listened. :slight_smile:

From today, you can search easier and faster, without any index need to be specified.

What that actually means?

Let’s take the easiest example.

{
"people": [{
    "name": "a",
    "age": 20,
    "languages": ["english", "french"],
    "gadgets": {
        "computer": "mac",
        "phone": "apple"
    }
},
{
    "name": "b",
    "age": 21,
    "languages": ["spanish", "german"]
}]}

And you wanted to search for the value “a” or even value “English”

where(people.0.name = "a" OR people.1.name ="a")

where(people.0.languages.0="english" OR people.0.languages.1="english")

Looks long and complicated?

Now you can query in the most readable and fastest way.

where(people.*.name = "a")

where(people.*.languages.*="english")

where(people.*.name = /regex/)

Let us know what do you think :slight_smile:

Array search
Array search IP range

8 Likes

This is great and a huge help when the values we are looking for in the logs don’t line up in the same keyword throughout all the logs, although keep in mind, you can not groupby(people.*.name).

Thanks for this - any plans to make this work for groupby?

would be really useful when creating charts for azure sign in data.

What is the issue you face @jowen ?

Can you provide an example ?

@david_smith I believe the issue is that you can use them in the where statement but not the groupby like so:

where(source_json.insertionStrings.*.Value=blah)groupby(source_json.insertionStrings.*.Value)

Ah yes thats certainly not the first time I’ve come across this complaint, currently we have no plans to add this to groupby unfortunately.