split( ) Query Function

Split an event structure created by json array into distinct events. When Humio ingests JSON arrays, each array entry is turned into a separate attributes named [0], [1], … This function takes such an event and splits it into muliple events based on the prefix of such [N] attributes, allowing for aggregate functions across array values. It is not very efficient, so it should only be used after some agressive filtering.


Name Type Required Default Description
field string No _events Field to split by
strip bool No false Strip the field prefix when splitting (default is false)

field is the unnamed parameter.


In GitHub events, a PushEvent contains an array of commits, and each commit which gets expanded into subattributes of payload.commit_0, payload.commit_1, …. Humio cannot sum/count, etc across such attributes. Expands each PushEvent into one PushEvent for each commit so they can be counted.

type=PushEvent | split(payload.commits) | groupby(payload.commits.author.email) | sort()