Arrayexpand
Cortex XDR XQL arrayexpand stage creates a record for every value found in a field containing an array.
Synopsis
arrayexpand <array_field> [limit <limit>]
Description
The
arrayexpand
stage accepts a field that contains
an array, and it creates a record in the result set for each item in the
array, up to <limit
> number of records. For example,
suppose you have a dataset with a single row like this:
uid
|
username
|
array_values
|
|---|---|---|
123456
|
ajohnson
|
[1,2,3,4,5,6,7,8,9,0]
|
Then if you run an
arrayexpand
stage using the
array_values
field, with a limit of 3, the result set includes
the following records:
dataset=my_dataset | arrayexpand array_values limit 3
uid
|
username
|
array_values
|
|---|---|---|
123456
|
ajohnson
|
2
|
123456
|
ajohnson
|
1
|
123456
|
ajohnson
|
3
|
The result records created by
expandarray
are in no particular order. However, you can use the
Sort
stage to sort the results:
dataset=my_dataset | arrayexpand array_values | sort asc array_values
Recommended For You
Recommended Videos
Recommended videos not found.
