Skip to main content
Version: v4.19

unflatten

Unflattens data structures whose field names imply a nested structure.

Synopsis

unflatten [<separator>]

Description

The unflatten operator creates nested records out of record entries whose names include a separator, thus unflattening

info

unflatten uses a heuristic to determine the unflattened schema. Thus, the schema of a record that has been flattened using the flatten operator and unflattened afterwards may not be identical to the schema of the unmodified record.

<separator>

The separator string to unflatten records with.

Defaults to ..

Examples

Consider the following data:

{
  "src_ip": "147.32.84.165",
  "src_port": 1141,
  "dest_ip": "147.32.80.9",
  "dest_port": 53,
  "event_type": "dns",
  "dns.type": "query",
  "dns.id": 553,
  "dns.rrname": "irc.freenode.net",
  "dns.rrtype": "A",
  "dns.tx_id": 0,
  "dns.grouped.A": ["tenzir.com"]
}

The unflatten operator recreates nested records from fields that contain the . separator:

{
  "src_ip": "147.32.84.165",
  "src_port": 1141,
  "dest_ip": "147.32.80.9",
  "dest_port": 53,
  "event_type": "dns",
  "dns": {
    "type": "query",
    "id": 553,
    "rrname": "irc.freenode.net",
    "rrtype": "A",
    "tx_id": 0,
    "grouped": {
      "A": [
        "tenzir.com"
      ]
    }
  }
}