The array_length function in APL (Axiom Processing Language) returns the length of an array. You can use this function to analyze and filter data by array size, such as identifying log entries with specific numbers of entries or events with multiple tags. This function is useful for analyzing structured data fields that contain arrays, such as lists of error codes, tags, or IP addresses.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you might use the mvcount function to determine the length of a multivalue field. In APL, array_length serves the same purpose by returning the size of an array within a column.
['sample-http-logs']
| extend array_size = array_length(array_field)In ANSI SQL, you would use functions such as CARDINALITY or ARRAY_LENGTH (in databases that support arrays) to get the length of an array. In APL, the array_length function is straightforward and works directly with array fields in any dataset.
['sample-http-logs']
| extend array_size = array_length(array_field)Usage
Syntax
array_length(array_expression)Parameters
- array_expression: An expression representing the array to measure.
Returns
The function returns an integer representing the number of elements in the specified array.
Use case example
In OpenTelemetry traces, array_length can reveal the number of events associated with a span.
Query
['otel-demo-traces']
| take 50
| extend event_count = array_length(events)
| where event_count > 2Output
| _time | trace_id | span_id | service.name | event_count |
|---|---|---|---|---|
| 2024-10-28T12:30:00 | trace_abc123 | span_001 | frontend | 3 |
This query finds spans associated with at least three events.
List of related functions
- array_slice: Extracts a subset of elements from an array.
- array_concat: Combines multiple arrays.
- array_shift_left: Shifts array elements one position to the left, moving the first element to the last position.