explode
Creates a record for each element of the specified array or collection field. This command is generally used to pivot array (horizontal) data into row (vertical) format. If the specified field does not exist, is not an array, or is null, the original record is passed through unchanged.
Command properties
| Item | Description |
|---|---|
| Command type | Transforming |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Target
FIELD- Name of the array or collection field to expand. You must specify a field name.
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
| 20300 | 올바르지 않는 필드 이름입니다. | The field name is not specified |
Runtime errors
N/A
Description
The explode command expands the array or collection value of the specified field into multiple records, one per element. Other fields from the original record are copied to all generated records.
If the specified field is not an array or collection, the original record is passed through unchanged. If the specified field is null or does not exist, the original record is also passed through unchanged.
Examples
-
Expand array fields and aggregate
json "[{'line': '192.0.2.1 198.51.100.2'}, {'line': '198.51.100.2 203.0.113.3'}]" | eval ip = split(line, " ") | explode ip | stats count by ipConverts IP address strings separated by spaces into arrays using the
splitfunction, expands each IP into separate records usingexplode, and then counts the number of records per IP. -
Expand parsed array fields into rows
table duration=1h FIREWALL_LOG | parsejson | explode tagsParses JSON-formatted logs and expands each element of the
tagsarray field into a separate record.