A table/map type would be like set but the contents are key value pairs where only keys need to be unique and the canonical order is based on the key order.

The type definition would be go-like and look like this:

map[<any>]<any>

Given the zcode model, this could be used as an associative array for any zng data type.

This wouldn't be useful for very large arbitrary key,value maps within a zng stream as in hadoop because it would need to fit comfortably in memory given the sorted-key contraint and zng.Record encoding. That said, this type could be a very useful gadget for manipulating record values in various ways at small scale.

On the other hand, large-scale variants of this datatype could be useful in the runtime referred to by procs that comes from elsewhere, e.g., to be a first-class external object available to a zql query but populated externally, e.g., to join threat-intel datq to a zng stream.

e.g., something like this:

live-search | put intel=config.intel.map[id.orig_h] | filter intel.badguy=true | alert "${$id.orig_h}: ${intel.msg}"

where config.intel.map is a map of type map[ip]record[badguy:bool,info:string] and config refers to some external configuration for how this map appears in the runtime. This data structure could also be a cache of database lookups by key, e.g., retrieving the intel data from an online service and caching each result in the runtime table a la a DNS lookup cache. Of course, the database or map could be stored locally if performance is an issue (though the lookups could be easily parallelized).