Use the bag_has_key function in APL to check whether a dynamic property bag contains a specific key. This is helpful when your data includes semi-structured or nested fields encoded as dynamic objects, such as JSON-formatted logs or telemetry metadata.

You often encounter property bags in observability data where log entries, spans, or alerts carry key–value metadata. Use bag_has_key to filter, conditionally process, or join such records based on the existence of specific keys, without needing to extract the values themselves.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk SPL, you often check whether a key exists in a JSON object using spath and conditional logic. APL simplifies this with bag_has_key, which returns a boolean directly and avoids explicit parsing.

```sql Splunk example | eval hasKey=if(isnull(spath(data, "keyName")), false, true) ```` 
['sample-http-logs']
| where bag_has_key(dynamic_field, 'keyName')

ANSI SQL doesn’t include native support for property bags or dynamic fields. You typically use JSON functions to access keys in JSON-formatted strings. In APL, dynamic fields are first-class, and bag_has_key provides direct support for key existence checks.

```sql SQL example SELECT * FROM logs WHERE JSON_EXTRACT(json_column, '$.keyName') IS NOT NULL ``` 
['sample-http-logs']
| where bag_has_key(dynamic_field, 'keyName')

Usage

Syntax

bag_has_key(bag: dynamic, key: string)

Parameters

Name Type Description
bag dynamic A dynamic value representing a property bag (e.g., JSON object).
key string The key to check for within the property bag.

Returns

Returns a bool value:

  • true if the specified key exists in the property bag
  • false otherwise

Use case examples

Use bag_has_key to filter log entries that include a specific metadata key embedded in a dynamic object.

Query

['sample-http-logs']
| extend metadata = bag_pack('source', 'cdn', 'env', 'prod')
| where bag_has_key(metadata, 'env')
| project _time, id, method, uri, status, metadata

Run in Playground

Output

_time id method uri status metadata
2025-05-27T12:30Z u123 GET /login 200 {'source':'cdn','env':'prod'}
2025-05-27T12:31Z u124 POST /cart/checkout 500 {'source':'cdn','env':'prod'}

The query filters logs where the synthetic metadata bag includes the key 'env'.

Use bag_has_key to filter spans that include specific dynamic span attributes.

Query

['otel-demo-traces']
| extend attributes = bag_pack('user', 'alice', 'feature_flag', 'beta')
| where bag_has_key(attributes, 'feature_flag')
| project _time, trace_id, span_id, ['service.name'], kind, attributes

Run in Playground

Output

_time trace_id span_id ['service.name'] kind attributes
2025-05-27T10:02Z abc123 span567 frontend client {'user':'alice','feature_flag':'beta'}

The query selects spans with dynamic attributes bags containing the 'feature_flag' key.

Use bag_has_key to identify HTTP logs where the request metadata contains sensitive audit-related keys.

Query

['sample-http-logs']
| extend audit_info = bag_pack('action', 'delete', 'reason', 'admin_override')
| where bag_has_key(audit_info, 'reason')
| project _time, id, uri, status, audit_info

Run in Playground

Output

_time id uri status audit_info
2025-05-27T13:45Z u999 /admin/delete 403 {'action':'delete','reason':'admin_override'}

The query returns only logs where the audit_info bag includes the 'reason' key, indicating administrative override events.
  • bag_keys: Returns all keys in a dynamic property bag. Use it when you need to enumerate available keys.
  • bag_pack: Converts a list of key-value pairs to a dynamic property bag. Use when you need to build a bag.

Good morning

I'm here to help you with the docs.

I
AIBased on your context