expand

Use expand to take a field containing a JSON array and create a separate log event for each element in the array. All other fields from the original log event are duplicated in each new event.

Syntax


expand fieldName

Example

If a log event contains items = ["apple","banana","cherry"] and host = "web-01", then expand items produces three log events: {items: "apple", host: "web-01"}, {items: "banana", host: "web-01"}, and {items: "cherry", host: "web-01"}.


expand items
| stats count(*) by items, host

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

relevantfields

sort