This function takes the name of an array and drops all fields of this array.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
array[a] | string | required | Name of the array to drop values for. Must follow valid Array Syntax for array of scalars. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscale Syntaxarray:drop("value")and:
logscale Syntaxarray:drop(array="value")These examples show basic structure only.
array:drop() Function Operation
array:drop() requires that the input
array has continuous, sequential indexes with no gaps (empty
indexes) and that the array starts at index [0], for example,
incidents[0], incidents[1], incidents[2]. If there are gaps,
for example, incidents[0], incidents[1], incidents[2],
incidents[10] only the fields from index 0 up to the first
empty index will be dropped.
If no array with the given name exists, the function does nothing.
Without this function, each element of an array would need to
be dropped individually using drop() or
array:filter() as shown below:
array:filter(array="a[]", function={false}, var="")With the function, specify the name of the array field to drop:
array:drop("a[]")Validation:
The array parameter is validated to ensure the field is an array value.
array:drop() Examples
Click next to an example below to get the full details.
Count Nested Array Elements
Count elements in nested arrays using the
objectArray:eval() function with
array:length()
Query
objectArray:eval(array="arrayToCount[]", asArray="tmpCountArray[]", function={ tmpCountArray:=true })
| array:length("tmpCountArray[]")
| array:drop("tmpCountArray[]")Introduction
In this example, the objectArray:eval() function is
used to iterate over a nested array field named
arrayToCount[] and populate a temporary flat array
named tmpCountArray[] with a marker value of
true for each element. This enables
array:length() to count the number of nested array
elements, which it otherwise cannot do directly on object arrays.
Example incoming data might look like this:
| @rawstring | @timestamp | @timestamp.nanos | arrayToCount[0].name | arrayToCount[0].value | arrayToCount[1].name | arrayToCount[1].value | arrayToCount[2].name | arrayToCount[2].value | arrayToCount[3].name | arrayToCount[3].value | host |
|---|---|---|---|---|---|---|---|---|---|---|---|
| "arrayToCount[0].name"=alpha "arrayToCount[0].value"=10 "arrayToCount[1].name"=beta "arrayToCount[1].value"=20 "arrayToCount[2].name"=gamma "arrayToCount[2].value"=30 host="server-01" | 1774950025788 | 0 | alpha | 10 | beta | 20 | gamma | 30 | <no value> | <no value> | server-01 |
| "arrayToCount[0].name"=delta "arrayToCount[0].value"=5 "arrayToCount[1].name"=epsilon "arrayToCount[1].value"=15 "arrayToCount[2].name"=zeta "arrayToCount[2].value"=25 "arrayToCount[3].name"=eta "arrayToCount[3].value"=35 host="server-02" | 1774950025788 | 0 | delta | 5 | epsilon | 15 | zeta | 25 | eta | 35 | server-02 |
| "arrayToCount[0].name"=theta "arrayToCount[0].value"=100 "arrayToCount[1].name"=iota "arrayToCount[1].value"=200 host="server-03" | 1774950025788 | 0 | theta | 100 | iota | 200 | <no value> | <no value> | <no value> | <no value> | server-03 |
| "arrayToCount[0].name"=kappa "arrayToCount[0].value"=7 host="server-04" | 1774950025788 | 0 | kappa | 7 | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | server-04 |
| "arrayToCount[0].name"=lambda "arrayToCount[0].value"=42 "arrayToCount[1].name"=mu "arrayToCount[1].value"=84 "arrayToCount[2].name"=nu "arrayToCount[2].value"=126 "arrayToCount[3].name"=xi "arrayToCount[3].value"=168 host="server-05" | 1774950025788 | 0 | lambda | 42 | mu | 84 | nu | 126 | xi | 168 | server-05 |
| "arrayToCount[0].name"=omicron "arrayToCount[0].value"=3 "arrayToCount[1].name"=pi "arrayToCount[1].value"=6 "arrayToCount[2].name"=rho "arrayToCount[2].value"=9 host="server-06" | 1774950025788 | 0 | omicron | 3 | pi | 6 | rho | 9 | <no value> | <no value> | server-06 |
| "arrayToCount[0].name"=sigma "arrayToCount[0].value"=11 "arrayToCount[1].name"=tau "arrayToCount[1].value"=22 host="server-07" | 1774950025788 | 0 | sigma | 11 | tau | 22 | <no value> | <no value> | <no value> | <no value> | server-07 |
| "arrayToCount[0].name"=upsilon "arrayToCount[0].value"=55 "arrayToCount[1].name"=phi "arrayToCount[1].value"=110 "arrayToCount[2].name"=chi "arrayToCount[2].value"=165 "arrayToCount[3].name"=psi "arrayToCount[3].value"=220 host="server-08" | 1774950025788 | 0 | upsilon | 55 | phi | 110 | chi | 165 | psi | 220 | server-08 |
Each event contains a nested array field
arrayToCount[], where each element is an object
with sub-fields such as arrayToCount[n].name and
arrayToCount[n].value. Because the array elements
are objects rather than scalar values,
array:length() alone cannot count them. The
workaround described in this example resolves this limitation.
Step-by-Step
Starting with the source repository events.
- logscale
objectArray:eval(array="arrayToCount[]", asArray="tmpCountArray[]", function={ tmpCountArray:=true })The
objectArray:eval()function iterates over each element of the nested object array specified by thearrayparameter, here set to arrayToCount[].For each element found, it evaluates the expression provided in the
functionparameter — in this case assigning the valuetrueto a field named tmpCountArray, which will be an element of the output array. Note that the field name must match the array name specified in theasArrayparameter.The results are collected into a new flat array specified by the
asArrayparameter, named tmpCountArray[].After this step, tmpCountArray[] contains one entry of
trueper element in the original nested array arrayToCount[], effectively creating a flat, countable representation of the nested array's length. Without this intermediate step,array:length()would be unable to count the elements because it does not operate on object-type (nested) arrays.Note that the temporary array (in this example tmpCountArray[]) must have a unique name for each searched event. If the name is not unique, LogScale overwrites and drops existing fields from the event.
- logscale
| array:length("tmpCountArray[]")The
array:length()function counts the number of elements in the flat array tmpCountArray[] that was created in the previous step. Because tmpCountArray[] is a flat array with onetrueentry per original nested element, this count accurately reflects the number of elements in the original nested array arrayToCount[]. The function returns the result in a new field named _length by default. - logscale
| array:drop("tmpCountArray[]")Removes the temporary flat array tmpCountArray[] from the event. Since this array was only created as an intermediate step to enable counting, it is no longer needed once
array:length()has returned the count in the _length field. Dropping it keeps the output clean and avoids polluting the results with intermediate fields. Event Result set.
Summary and Results
The query is used to count the number of elements in a nested object
array field by using the objectArray:eval()
function to create a temporary flat array of marker values, then
applying the array:length() function to find the
length of the flat temporary array, and finally removing the temporary
array with array:drop().
This query is useful, for example, to determine how many sub-objects are
present in a nested array field per event — such as counting the
number of items in a shopping cart, the number of network interfaces on
a host, or the number of findings in a security alert — in cases
where the array:length() function alone cannot
operate on object arrays.
Sample output from the incoming example data:
| _length | arrayToCount[0].name | arrayToCount[0].value | arrayToCount[1].name | arrayToCount[1].value | arrayToCount[2].name | arrayToCount[2].value | arrayToCount[3].name | arrayToCount[3].value | host |
|---|---|---|---|---|---|---|---|---|---|
| 3 | alpha | 10 | beta | 20 | gamma | 30 | <no value> | <no value> | server-01 |
| 4 | delta | 5 | epsilon | 15 | zeta | 25 | eta | 35 | server-02 |
| 2 | theta | 100 | iota | 200 | <no value> | <no value> | <no value> | <no value> | server-03 |
| 1 | kappa | 7 | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | server-04 |
| 4 | lambda | 42 | mu | 84 | nu | 126 | xi | 168 | server-05 |
| 3 | omicron | 3 | pi | 6 | rho | 9 | <no value> | <no value> | server-06 |
| 2 | sigma | 11 | tau | 22 | <no value> | <no value> | <no value> | <no value> | server-07 |
| 4 | upsilon | 55 | phi | 110 | chi | 165 | psi | 220 | server-08 |
Note that the original nested array fields
arrayToCount[] are still present in the output
alongside host and _length
— only the intermediate tmpCountArray[] field
has been removed by array:drop().
Also note that the count in _length reflects only
the number of populated elements in the nested array per event, so
events with fewer sub-objects will return a lower count accordingly, as
seen with server-04 which contains only a single
nested array element and therefore returns a
_length value of 1.
Drop Fields From Input Array
Drop fields in an array using the
array:drop() function
Query
array:drop("a[]")Introduction
In this example, the array:drop() function is used
to drop all fields of the array
a[].
Example incoming data might look like this:
| a[0]=Dog |
|---|
| a[1]=Cat |
| a[42]=Horse |
| a[0]=Dog |
| b[0]=Cat |
| c[0]=Horse |
| animal=cow |
Step-by-Step
Starting with the source repository events.
- logscale
array:drop("a[]")Takes the name of the array a[] and drops all fields of this array. Array b[] and array c[] will not be dropped in this example. Be aware that if there are empty entries in the array, only the fields from index 0 up to the first empty index will be dropped.
Event Result set.
Summary and Results
The query is used to drop all fields from a specific input array.
Sample output from the incoming example data:
| b[0] | c[0] | animal |
|---|---|---|
| Cat | Horse | cow |
Transform Array Key-Value Pairs Into Top-Level Fields
Flatten structured array data into individual fields using the
objectArray:eval() with
concatArray() and
array:drop()
Query
objectArray:eval(array="in[]", asArray="kvpairs[]", function={
kvpairs:=format("%s=%s", field=[in.key, in.value])
})
| concatArray("kvpairs", separator=" ")
| kvParse(field="_concatArray")
| drop([_concatArray])
| array:drop("kvpairs[]")Introduction
In this example, the objectArray:eval() function is
used to iterate over an array of key-value pair objects stored in the
in[] array field, formatting each pair into a
key=value string. The resulting strings are then
concatenated into a single space-separated string, parsed with
kvParse() to promote each key-value pair into a
top-level field, and finally the intermediate working fields are removed
using drop() and array:drop().
Example incoming data might look like this:
| in[0].key | in[0].value | in[1].key | in[1].value | in[2].key | in[2].value | @timestamp |
|---|---|---|---|---|---|---|
| foo | bar | baz | qux | zap | wham | 2026-03-30T08:15:00Z |
| alpha | bravo | charlie | delta | echo | foxtrot | 2026-03-30T08:16:00Z |
| red | 42 | blue | 17 | green | 99 | 2026-03-30T08:17:00Z |
| ping | pong | flip | flop | zig | zag | 2026-03-30T08:18:00Z |
| ax | bx | cx | dx | ex | fx | 2026-03-30T08:19:00Z |
Each event contains an array of objects under the in[] field, where each object has a key and a value sub-field. The goal is to promote these dynamic key-value pairs into individual top-level fields on each event, regardless of what the key names are.
Step-by-Step
Starting with the source repository events.
- logscale
objectArray:eval(array="in[]", asArray="kvpairs[]", function={ kvpairs:=format("%s=%s", field=[in.key, in.value]) })The
objectArray:eval()function iterates over each element in the in[] array, as specified by thearrayparameter. The inner function block is applied to each element in turn. TheasArrayparameter specifies that the results of the inner function are collected into a new array named kvpairs[], updating the event with this new array field.Inside the function block, the
format()function constructs a string in the formkey=valuefor each array element by referencing in.key and in.value — the sub-fields of each object in the in[] array. The result is assigned to kvpairs for each iteration, producing an array of formatted strings such asfoo=bar,baz=qux, andzap=whamfor the first event. - logscale
| concatArray("kvpairs", separator=" ")The
concatArray()function joins all elements of the kvpairs[] array into a single string, using a space character as the separator specified by theseparatorparameter. The result is returned in a new field named _concatArray, which is the default output field name for this function. For the first event, this produces a string such asfoo=bar baz=qux zap=wham. - logscale
| kvParse(field="_concatArray")The
kvParse()function parses the space-separatedkey=valuestring stored in _concatArray, as specified by thefieldparameter. Each key-value pair found in the string is promoted to a top-level field on the event. For example, the stringfoo=bar baz=qux zap=whamresults in three new fields: foo with valuebar, baz with valuequx, and zap with valuewham. The default separator used bykvParse()is a space, which matches the output of the previous step. - logscale
| drop([_concatArray])The
drop()function removes the intermediate scalar field _concatArray from each event. This field was only needed as an intermediate representation during the parsing step and is no longer required in the final output. - logscale
| array:drop("kvpairs[]")The
array:drop()function removes the intermediate array field kvpairs[] from each event. This array was created byobjectArray:eval()as a working structure to hold the formattedkey=valuestrings and is no longer needed once parsing is complete. Usingarray:drop()rather thandrop()is required here because kvpairs[] is an array field, and array fields must be removed with the dedicatedarray:drop()function. Event Result set.
Summary and Results
The query is used to flatten structured array data — where each
array element is an object containing a key and a
value sub-field — into individual top-level
fields on each event. It achieves this by iterating over the array with
objectArray:eval(), formatting each pair as a
key=value string, concatenating the strings with
concatArray(), parsing the result with
kvParse(), and finally cleaning up the intermediate
scalar field with drop() and the intermediate array
field with array:drop().
This query is useful, for example, to normalize events from systems that emit dynamic or variable sets of attributes as arrays of key-value objects — such as configuration management tools, metadata APIs, or enrichment pipelines — so that the attributes can be used directly in filters, aggregations, and dashboards without requiring knowledge of the specific key names in advance.
Sample output from the incoming example data:
| foo | baz | zap | alpha | charlie | echo | red | blue | green | ping | flip | zig | ax | cx | ex |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| bar | qux | wham | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | bravo | delta | foxtrot | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | 42 | 17 | 99 | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | pong | flop | zag | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | bx | dx | fx |
Note that each event only contains values for the fields that were present in its own in[] array — fields from other events are absent for that row, since the key names are dynamic and differ between events. The field names in the output are entirely determined by the values of the key sub-fields in the input array, making this pattern flexible for any set of dynamic attribute names.