Split an event structure created by json array into distinct events. When Humio ingests JSON arrays, each array entry is turned into a separate attributes named , , … This function takes such an event and splits it into muliple events based on the prefix of such [N] attributes, allowing for aggregate functions across array values. It is not very efficient, so it should only be used after some agressive filtering.
|field||string||No||_events||Field to split by|
|strip||bool||No||false||Strip the field prefix when splitting (default is false)|
field is the unnamed parameter.
In GitHub events, a PushEvent contains an array of commits, and each commit which gets expanded into subattributes of payload.commit_0, payload.commit_1, …. Humio cannot sum/count, etc across such attributes. Expands each PushEvent into one PushEvent for each commit so they can be counted.
type=PushEvent | split(payload.commits) | groupby(payload.commits.author.email) | sort()