The pack_array function in APL creates an array from individual values or expressions. You can use this function to group related data into a single field, which can simplify handling and querying of data collections. It’s especially useful when working with nested data structures or aggregating data into arrays for further processing.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you typically use functions like mvappend to create multi-value fields. In APL, the pack_array function serves a similar purpose by combining values into an array.
| extend array_field = pack_array(value1, value2, value3)In ANSI SQL, arrays are often constructed using functions like ARRAY. The pack_array function in APL performs a similar operation, creating an array from specified values.
| extend array_field = pack_array(value1, value2, value3)Usage
Syntax
pack_array(value1, value2, ..., valueN)Parameters
| Parameter | Description |
|---|---|
value1 |
The first value to include in the array. |
value2 |
The second value to include in the array. |
... |
Additional values to include in the array. |
valueN |
The last value to include in the array. |
pack_array(*) packs only the values, not the field names. For key-value pairs, use bag_pack(*) instead.
Returns
An array containing the specified values in the order they are provided.
Use case example
Use pack_array to consolidate span data into an array for a trace summary.
Query
['otel-demo-traces']
| extend span_summary = pack_array(['service.name'], kind, duration)Output
| service.name | kind | duration | span_summary |
|---|---|---|---|
| frontend | server | 123ms | ["frontend", "server", "123ms"] |
This query creates a concise representation of span details.
List of related functions
- array_slice: Extracts a subset of elements from an array.
- array_concat: Combines multiple arrays.
- array_length: Returns the number of elements in an array.