The array_iff function in Axiom Processing Language (APL) allows you to create arrays based on a condition. It returns an array with elements from two specified arrays, choosing each element from the first array when a condition is met and from the second array otherwise. This function is useful for scenarios where you need to evaluate a series of conditions across multiple datasets, especially in log analysis, trace data, and other applications requiring conditional element selection within arrays.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, array manipulation based on conditions typically requires using conditional functions or eval expressions. APL’s array_iff function lets you directly select elements from one array or another based on a condition, offering more streamlined array manipulation.
array_iff(condition_array, array1, array2)In ANSI SQL, conditionally selecting elements from arrays often requires complex CASE statements or functions. With APL’s array_iff function, you can directly compare arrays and conditionally populate them, simplifying array-based operations.
array_iff(condition_array, array1, array2)Usage
Syntax
array_iff(condition_array, array1, array2)Parameters
condition_array: An array of boolean values, where each element determines whether to choose the corresponding element fromarray1orarray2.array1: The array to select elements from when the correspondingcondition_arrayelement istrue.array2: The array to select elements from when the correspondingcondition_arrayelement isfalse.
Returns
An array where each element is selected from array1 if the corresponding condition_array element is true, and from array2 otherwise.
Use case examples
The array_iff function can help filter log data conditionally, such as choosing specific durations based on HTTP status codes.
Query
['sample-http-logs']
| order by _time desc
| limit 1000
| summarize is_ok = make_list(status == '200'), request_duration = make_list(req_duration_ms)
| project ok_request_duration = array_iff(is_ok, request_duration, 0)Output
| ok_request_duration |
|---|
| [0.3150485097707766, 0, 0.21691408087847264, 0, 0.2757618582190533] |
This example filters the req_duration_ms field to include only durations for the most recent 1,000 requests with status 200, replacing others with 0.
With OpenTelemetry trace data, you can use array_iff to filter spans based on the service type, such as selecting durations for server spans and setting others to zero.
Query
['otel-demo-traces']
| order by _time desc
| limit 1000
| summarize is_server = make_list(kind == 'server'), duration_list = make_list(duration)
| project server_durations = array_iff(is_server, duration_list, 0)Output
| server_durations |
|---|
| ["45.632µs", "54.622µs", 0, "34.051µs"] |
In this example, array_iff selects durations only for server spans, setting non-server spans to 0.
In security logs, array_iff can be used to focus on specific cities in which HTTP requests originated, such as showing response durations for certain cities and excluding others.
Query
['sample-http-logs']
| limit 1000
| summarize is_london = make_list(['geo.city'] == "London"), request_duration = make_list(req_duration_ms)
| project london_duration = array_iff(is_london, request_duration, 0)Output
| london_duration |
|---|
| [100, 0, 250] |
This example filters the req_duration_ms array to show durations for requests from London, with non-matching cities having 0 as duration.
List of related functions
- array_slice: Extracts a subset of elements from an array.
- array_concat: Combines multiple arrays.
- array_rotate_right: Rotates array elements to the right by a specified number of positions.