Use the array_extract function to extract specific values from a dynamic array using a JSON path expression. You can use this function to transform structured array data, such as arrays of objects, into simpler arrays of scalars. This is useful when working with nested JSON-like structures where you need to extract only selected fields for analysis, visualization, or filtering.
Use array_extract when:
- You need to pull scalar values from arrays of objects.
- You want to simplify a nested data structure before further analysis.
- You are working with structured logs or metrics where key values are nested inside arrays.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use spath with a wildcard or field extraction logic to navigate nested structures. APL’s array_extract uses JSON path syntax to extract array elements that match a given pattern.
['sample-http-logs']
| extend extracted_value = array_extract(dynamic([{'id': 1, 'value': true}, {'id': 2, 'value': false}]), @'$[*].value')
| project _time, extracted_valueANSI SQL doesn’t offer native support for JSON path queries on arrays in standard syntax. While some engines support functions like JSON_VALUE or JSON_TABLE, they operate on single objects. APL’s array_extract provides a concise and expressive way to query arrays using JSON path.
['sample-http-logs']
| extend extracted_value = array_extract(dynamic([{'id': 1, 'value': true}, {'id': 2, 'value': false}]), @'$[*].value')
| project _time, extracted_valueUsage
Syntax
array_extract(sourceArray, jsonPath)Parameters
| Name | Type | Description |
|---|---|---|
sourceArray |
dynamic |
A JSON-like dynamic array to extract values from. |
jsonPath |
string |
A JSON path expression to select values from the array. |
Returns
A dynamic array of values that match the JSON path expression. The function always returns an array, even when the path matches only one element or no elements.
Use case examples
Use array_extract to retrieve specific fields from structured arrays, such as arrays of request metadata.
Query
['sample-http-logs']
| extend extracted_value = array_extract(dynamic([{'id': 1, 'value': true}, {'id': 2, 'value': false}]), @'$[*].value')
| project _time, extracted_valueOutput
| _time | extracted_value |
|---|---|
| Jun 24, 09:28:10 | ["true", "false"] |
| Jun 24, 09:28:10 | ["true", "false"] |
| Jun 24, 09:28:10 | ["true", "false"] |
This query extracts the value field from an array of objects, returning a flat array of booleans in string form.
Use array_extract to extract service names from a nested structure—for example, collecting service.name from span records in a trace bundle.
Query
['otel-demo-traces']
| summarize traces=make_list(pack('trace_id', trace_id, 'service', ['service.name'])) by span_id
| extend services=array_extract(traces, @'$[*].service')Output
| span_id | services |
|---|---|
| 24157518330f7967 | [frontend-proxy] |
| 209a0815d291d88a | [currency] |
| aca763479149f1d0 | [frontend-web] |
This query collects and extracts the service.name fields from a constructed nested structure of spans.
Use array_extract to extract HTTP status codes from structured log entries grouped into sessions.
Query
['sample-http-logs']
| summarize events=make_list(pack('uri', uri, 'status', status)) by id
| extend status_codes=array_extract(events, @'$[*].status')Output
| id | status_codes |
|---|---|
| user1 | [200] |
| user2 | [201] |
| user3 | [200] |
This query extracts all HTTP status codes per user session, helping to identify patterns like repeated failures or suspicious behavior.
List of related functions
- array_slice: Returns a subarray like
array_extract, but supports negative indexing. - array_length: Returns the number of elements in an array. Useful before applying
array_extract. - array_concat: Joins arrays end-to-end. Use before or after slicing arrays with
array_extract. - array_index_of: Finds the position of an element in an array, which can help set the
startIndexforarray_extract.