Concatenates the values of all fields with the same name and an
array suffix into a value in a new field. Such array fields
typically come as output from either
parseJson() or
splitString().
All array fields starting with index from and ending with index to are selected. If some index is missing, the concatenation stops with the previous index, thus if only index 0, 1 and 3 are present, only index 0 and 1 are concatenated. If the first index is missing, no field is added to the event.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
as | string | optional[a] | _concatArray | Name of output field. |
field[b] | string | required | Base name for array fields to concatenate. | |
from | number | optional[a] | 0 | First array index to include [0..∞]. |
prefix | string | optional[a] | Prefix to prepend to the generated string. | |
separator | string | optional[a] | Separator between values. | |
suffix | string | optional[a] | Suffix to append to the generated string. | |
to | number | optional[a] | Last array index to include (leave out to get all). Must be equal to or larger than from. | |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale SyntaxconcatArray("value")and:
logscale SyntaxconcatArray(field="value")These examples show basic structure only.
concatArray() Examples
Click next to an example below to get the full details.
Concatenate Values From Deeply Nested Array Elements
Concatenate deeply nested objects and arrays using
objectArray:eval() function with itself
Query
objectArray:eval(
"in[]",
asArray="out[]",
function={
objectArray:eval("in.others[]", asArray="tmp[]", function={tmp := "in.others.d"})
| out := concatArray(tmp)
}
)Introduction
In this example, the objectArray:eval() function is
used with itself to concatenate a deeply nested arrays of objects values
in the array in[] and return the
concatenated values in the output field
out[].
Example incoming data might look like this:
| in[0].others[0].d: 1 |
|---|
| in[0].others[1].d: 2 |
| in[0].others[2].d: 3 |
| in[1].others[0].d: 4 |
| in[1].others[1].d: 5 |
| in[1].others[2].d: 6 |
Step-by-Step
Starting with the source repository events.
- logscale
objectArray:eval( "in[]", asArray="out[]", function={Iterates over the array from start to end (or to the first empty index in the array, applies the given function, and returns the concatenated results in a new output array name field out[].
- logscale
objectArray:eval("in.others[]", asArray="tmp[]", function={tmp := "in.others.d"}) | out := concatArray(tmp) } )The nested
objectArray:eval()performs the concatenation of the values within the nested array by calling theconcatArray()function.Notice that in the nested call to
objectArray:eval(), the given input array name is the nested array in.others[]. This works because it is translated to the field in[i].others[] by the parentobjectArray:eval()current array indexi.To return the concatenated array, the
asArrayparameter is set to the tmp[] field, and then when we assign the value of the concatenated value. Event Result set.
Summary and Results
The query is used to concatenate deeply nested arrays of objects. The use of this function in this way is often useful when incoming ingested data has been defined in a nested structure, but needs to be displayed or summarized. For example, importing the properties or configuration values may result in a list of potential values for a given property. Concatenating the values together makes them easier to use as a summary value for display in a table or graph.
Sample output from the incoming example data:
out[0]: 123
out[1]: 456Concatenate Values in Arrays Into New Named Field
Concatenate values in flat arrays into new named field
Query
concatArray("email", as=servers)Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name into a value in
a new defined field.
Example incoming data might look like this:
email[0] := "dopey"
email[1] := "sleepy"
email[2] := "doc"
email[3] := "happy"
email[4] := "sneezy"Step-by-Step
Starting with the source repository events.
- logscale
concatArray("email", as=servers)Concatenates the values of fields email[0], email[1] and so on and returns the results in a field named servers.
Event Result set.
Summary and Results
The query is used to concatenate (join) two or more arrays into a new array. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
| email[0] | email[1] | email[2] | email[3] | email[4] | servers |
|---|---|---|---|---|---|
| dopey | sleepy | doc | happy | sneezy | dopeysleepydochappysneezy |
Concatenate Values in Arrays Using Pipe Separation
Concatenate values in flat arrays using pipe separation between the concatenated values
Query
concatArray(server, separator=" | ")Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name into pipe
separated values in a new field.
Example incoming data might look like this:
server[0] := "dopey"
server[1] := "sleepy"
server[2] := "doc"
server[3] := "happy"
server[4] := "sneezy"Step-by-Step
Starting with the source repository events.
- logscale
concatArray(server, separator=" | ")Concatenates the values of fields server[0], server[1] and so on and returns the results in a new array with a field named _concatArray where the concatenated values are separated by a pipe.
Event Result set.
Summary and Results
The query is used to concatenate (join) the elements of the array into a new field where the concatenated values are separated by a pipe. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
| server[0] | server[1] | server[2] | server[3] | server[4] | _concatArray | |
|---|---|---|---|---|---|---|
| dopey | sleepy | doc | happy | sneezy | dopey | dopey | sleepy | doc | happy | sneezy | dopey |
Concatenate Values in Arrays With a Defined Prefix and Suffix
Concatenate values in flat arrays using prefix, suffix and separator
Query
concatArray(server, prefix="[", separator=",", suffix="]")Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name and an array
suffix into a value in a new field, adding a prefix and a suffix to the
generated output result.
Example incoming data might look like this:
server[0] := "dopey"
server[1] := "sleepy"
server[2] := "doc"
server[3] := "happy"
server[4] := "sneezy"Step-by-Step
Starting with the source repository events.
- logscale
concatArray(server, prefix="[", separator=",", suffix="]")Concatenates the values of fields server[0], server[1] and so on and returns the results as a string named _concatArray enclosed in square brackets, and separated by a comma, which is similar to the written array format.
Event Result set.
Summary and Results
This can be useful to summarize or format a list of items for use in another part of the query.
Sample output from the incoming example data:
| server[0] | server[1] | server[2] | server[3] | server[4] | _concatArray |
|---|---|---|---|---|---|
| dopey | sleepy | doc | happy | sneezy | [dopey,sleepy,doc,happy,dopey] |
Concatenate Values of All Fields With Same Name in an Array
Concatenate values of all fields with same name in a flat array
Query
concatArray(server)Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name into a value in
a new field.
Example incoming data might look like this:
| server[0] := "dopey" |
| server[1] := "sleepy" |
| server[2] := "doc" |
| server[3] := "happy" |
| server[4] := "sneezy" |
Step-by-Step
Starting with the source repository events.
- logscale
concatArray(server)Concatenates the values of fields server[0], server[1] and so on and returns the results in a new array with a field named _concatArray. If no field is defined, the aggregate function always creates a field name beginning with underscore for the returned values.
Event Result set.
Summary and Results
The query is used to concatenate (join) two or more arrays into a new array. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
| email[0] | email[1] | email[2] | email[3] | email[4] | _concatArray |
|---|---|---|---|---|---|
| dopey | sleepy | doc | happy | sneezy | dopeysleepydochappysneezy |
Concatenate a Range of Values in Arrays
Concatenate values in flat arrays
Query
concatArray(server, from=1, to=3)Introduction
In this example, the concatArray() function
concatenates the values of all fields with the same name and index
between 1 to 3 into a value in a new field.
Example incoming data might look like this:
server[0] := "dopey"
server[1] := "sleepy"
server[2] := "doc"
server[3] := "happy"
server[4] := "sneezy"Step-by-Step
Starting with the source repository events.
- logscale
concatArray(server, from=1, to=3)Concatenates the values of fields server[1], server[2], and server[3], and returns the results in a new array with a field named _concatArray.
Event Result set.
Summary and Results
The query is used to concatenate (join) two or more arrays into a new array. Concatenation is useful in programming and computing because it allows you to store and combine multiple pieces of data when needed.
Sample output from the incoming example data:
| server[0] | server[1] | server[2] | server[3] | server[4] | _concatArray |
|---|---|---|---|---|---|
| dopey | sleepy | doc | happy | sneezy | sleepydochappy |
Transform Array Key-Value Pairs Into Top-Level Fields
Flatten structured array data into individual fields using the
objectArray:eval() with
concatArray() and
array:drop()
Query
objectArray:eval(array="in[]", asArray="kvpairs[]", function={
kvpairs:=format("%s=%s", field=[in.key, in.value])
})
| concatArray("kvpairs", separator=" ")
| kvParse(field="_concatArray")
| drop([_concatArray])
| array:drop("kvpairs[]")Introduction
In this example, the objectArray:eval() function is
used to iterate over an array of key-value pair objects stored in the
in[] array field, formatting each pair into a
key=value string. The resulting strings are then
concatenated into a single space-separated string, parsed with
kvParse() to promote each key-value pair into a
top-level field, and finally the intermediate working fields are removed
using drop() and array:drop().
Example incoming data might look like this:
| in[0].key | in[0].value | in[1].key | in[1].value | in[2].key | in[2].value | @timestamp |
|---|---|---|---|---|---|---|
| foo | bar | baz | qux | zap | wham | 2026-03-30T08:15:00Z |
| alpha | bravo | charlie | delta | echo | foxtrot | 2026-03-30T08:16:00Z |
| red | 42 | blue | 17 | green | 99 | 2026-03-30T08:17:00Z |
| ping | pong | flip | flop | zig | zag | 2026-03-30T08:18:00Z |
| ax | bx | cx | dx | ex | fx | 2026-03-30T08:19:00Z |
Each event contains an array of objects under the in[] field, where each object has a key and a value sub-field. The goal is to promote these dynamic key-value pairs into individual top-level fields on each event, regardless of what the key names are.
Step-by-Step
Starting with the source repository events.
- logscale
objectArray:eval(array="in[]", asArray="kvpairs[]", function={ kvpairs:=format("%s=%s", field=[in.key, in.value]) })The
objectArray:eval()function iterates over each element in the in[] array, as specified by thearrayparameter. The inner function block is applied to each element in turn. TheasArrayparameter specifies that the results of the inner function are collected into a new array named kvpairs[], updating the event with this new array field.Inside the function block, the
format()function constructs a string in the formkey=valuefor each array element by referencing in.key and in.value — the sub-fields of each object in the in[] array. The result is assigned to kvpairs for each iteration, producing an array of formatted strings such asfoo=bar,baz=qux, andzap=whamfor the first event. - logscale
| concatArray("kvpairs", separator=" ")The
concatArray()function joins all elements of the kvpairs[] array into a single string, using a space character as the separator specified by theseparatorparameter. The result is returned in a new field named _concatArray, which is the default output field name for this function. For the first event, this produces a string such asfoo=bar baz=qux zap=wham. - logscale
| kvParse(field="_concatArray")The
kvParse()function parses the space-separatedkey=valuestring stored in _concatArray, as specified by thefieldparameter. Each key-value pair found in the string is promoted to a top-level field on the event. For example, the stringfoo=bar baz=qux zap=whamresults in three new fields: foo with valuebar, baz with valuequx, and zap with valuewham. The default separator used bykvParse()is a space, which matches the output of the previous step. - logscale
| drop([_concatArray])The
drop()function removes the intermediate scalar field _concatArray from each event. This field was only needed as an intermediate representation during the parsing step and is no longer required in the final output. - logscale
| array:drop("kvpairs[]")The
array:drop()function removes the intermediate array field kvpairs[] from each event. This array was created byobjectArray:eval()as a working structure to hold the formattedkey=valuestrings and is no longer needed once parsing is complete. Usingarray:drop()rather thandrop()is required here because kvpairs[] is an array field, and array fields must be removed with the dedicatedarray:drop()function. Event Result set.
Summary and Results
The query is used to flatten structured array data — where each
array element is an object containing a key and a
value sub-field — into individual top-level
fields on each event. It achieves this by iterating over the array with
objectArray:eval(), formatting each pair as a
key=value string, concatenating the strings with
concatArray(), parsing the result with
kvParse(), and finally cleaning up the intermediate
scalar field with drop() and the intermediate array
field with array:drop().
This query is useful, for example, to normalize events from systems that emit dynamic or variable sets of attributes as arrays of key-value objects — such as configuration management tools, metadata APIs, or enrichment pipelines — so that the attributes can be used directly in filters, aggregations, and dashboards without requiring knowledge of the specific key names in advance.
Sample output from the incoming example data:
| foo | baz | zap | alpha | charlie | echo | red | blue | green | ping | flip | zig | ax | cx | ex |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| bar | qux | wham | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | bravo | delta | foxtrot | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | 42 | 17 | 99 | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | pong | flop | zag | <no value> | <no value> | <no value> |
| <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | <no value> | bx | dx | fx |
Note that each event only contains values for the fields that were present in its own in[] array — fields from other events are absent for that row, since the key names are dynamic and differ between events. The field names in the output are entirely determined by the values of the key sub-fields in the input array, making this pattern flexible for any set of dynamic attribute names.