unroll

Version: Next
unroll
Unrolls a list by producing multiple events, one for each item.
Synopsis
unroll <field>
Description
The unroll operator transforms each input event into a multiple output events. For each item in the input list, one output event is created, where the list is replaced with its item. The surrounding data is kept as-is.

No output events are produced if the list is empty or if the field is null.
Examples
Consider the following events:
{"a": 1, "b": [1, 2, 3]} {"a": 2, "b": [1]} {"a": 3, "b": []} {"a": 4, "b": null}
unroll b would produce the following output:
{"a": 1, "b": 1} {"a": 1, "b": 2} {"a": 1, "b": 3} {"a": 2, "b": 1}
The unroll operator can also be used with records.
{ "src": "192.168.0.5", "conn": [ { "dest": "192.168.0.34", "active": "381ms" }, { "dest": "192.168.0.120", "active": "42ms" }, { "dest": "1.2.3.4", "active": "67ms" } ] }
We can use unroll conn to bring this into a form more suited for analysis. For example, we would then be able to use where active > 100ms || conn.dest !in 192.168.0.0/16 to filter for relevant connections.
{ "src": "192.168.0.5", "conn": { "dest": "192.168.0.34", "active": "381.0ms" } } { "src": "192.168.0.5", "conn": { "dest": "1.2.3.4", "active": "67.0ms" } }
Edit this page

Synopsis​

Description​

Examples​

Synopsis

Description

Examples