Let's say I have a list of items like this:
[
"abcdef",
"defghi",
"euskdh"
]
I want to write a filter that returns all of the items that contain an "a", "d", or "h". This is the best I could come up with:
. as $val | select(any(["a", "d", "h"]; inside($val)))
Is there any way to do it without using a variable?
Assuming your jq has regex support:
map(select(test("a|d|h")))
Or if you want a stream of values:
.[] | select(test("a|d|h"))
If your jq does not have regex support, then if it has any/2, the following will produce a stream of values:
.[] | select( any( index( "a", "d", "h"); . != null ) )
All else failing, the following will do the job but is inefficient:
.[] | select( [index("a", "d", "h")] | any )
Here is a solution using index
.[]
| if index("a") or index("d") or index("h") then . else empty end
Related
Say I have a row that looks like this
data (string) | key
======================================
'{ "val1": 3, "val2": 4 }' 1
How can I add a new field to the json string in the data column? For brevity, say I would like to add a constant value to it.
'{ "val1": 3, "val2": 4, "new_field": "x" }'
I think I can do this with string functions like concat, length and substr with something like
concat( substr(data, 0, length(data) - 1, ', "new_field": "x"', '}' )
I am wondering, is there a more json-native way of doing this ?
I want to count the number of occurrence of a specific JSON structure. For example in my event there is a field called data which its value is JSON . but this field can have a variety of structures. like:
data = {a: "b"}
data= {d: "x", h: "e"}
...
now I want to know how many event has data with each JSON structure and I don't care about values only keys are matter.
Try one of these 2:
index=ndx sourcetype=srctp data=*
| stats dc(data) as unique_data
Or
index=ndx sourcetype=srctp data=*
| stats values(data) as data_vals
I want to divide two timecharts (ideally to look also like a timechart, but something else that emphasizes the trend is also good).
I have two types of URLs and I can generate timecharts for them like this:
index=my-index sourcetype=access | regex _raw="GET\s/x/\w+" | timechart count
index=my-index sourcetype=access | regex _raw="/x/\w+/.*/\d+.*\s+HTTP" | timechart count
The purpose is to emphasize that the relative number of URLs of the second type is increasing and the relative number of URLs of the first type is decreasing.
This is why I want to divide them (ideally the second one by the first one).
For example, if the first series generates 2, 4, 8, 4 and the second one generates 4, 9, 20, 12 I want to have only one dashboard showing somehow the result 2, 2.25, 2.5, 3.
I just managed to get together those information by doing this, but not to generate a timechart and not to divide them:
index=my-index sourcetype=access
| eval type = if(match(_raw, "GET\s/x/\w+"), "new", if(match(_raw, "/x/\w+/.*/\d+.*\s+HTTP"), "old", "other"))
| table type
| search type != "other"
| stats count as "Calls" by type
I also tried some approaches using eval, but none of them work.
Try this query:
index=my-index sourcetype=access
| eval type = if(match(_raw, "GET\s/x/\w+"), "new", if(match(_raw, "/x/\w+/.*/\d+.*\s+HTTP"), "old", "other"))
| fields type
| search type != "other"
| timechart count(eval(type="new")) as "New", count(eval(type="old")) as "Old"
| eval Div=if(Old=0, 0, Old/New)
Desciption:
I have an array 2d:
$array = InvApplication::model()->findall(array('order'=>'app_name'));
The array contents the next element: "app5", How to avoid it?
Actual Output:
app_name|field1|field2|fieldN|..|..
appn |
appn1 |
appn2 |
app5 |
Already Tested
I have been testing with unset, in_array and strpos functions.
In addition to:
php - finding keys in an array that match a pattern
Delete element from multidimensional-array based on value
My actual piece of code:
This is an actual way, but is not working as I want.
$deleteapp = "app5";
unset($list[$deleteapp]); Test with unset or array_diff
foreach($list as $k=>$v)
{
if(in_array($v,array('app5'))) unset($list[$k]);}
I expect this:
app_name|field1|field2|fieldN|..|..
appn |
appn1 |
appn2 |
Thank you.
seems you want exclude a app_name from the select result
in this case you could use a condition
$array = InvApplication::model()->findall(
array("condition"=> "app_name != 'app5'","order"=>"app_name")
);
I want to read values of a json (message) object which has array in it.
This below query helps for immediate properties in d.
traces | extend d = parsejson(message) | d.Timestamp, d.Name;
How do I read property part of an array within d (message). For example if I want to read all street values in below message .. how to do ? This is kind of needing a loop
message
{
"Timestamp": "12-12-2008",
Name: "Alex",
address: {
[{"street": "",zip:""},{"street":"", "zip":""}]
}
}
One way to do this would be using the mvexpand operator (see documentation).
It will output a single row for each element in your array which you could iterate over.
So in your example, running:
traces | extend d = parsejson(message) | mvexpand d.address
Will output a row for each address.