unnest

Based on the number of items that a field contains, this command discards the current record and generates new records. Each record includes the unnested_field, which represents each item. All other fields are from the original record.

The input for unnest needs to be LIST, which can come from the jsonParse function. Any other types, such as MAP, String and numbers, are treated as a list with one item in unnest.

Command structure

The following example describes the format of this command.


unnest field into unnested_field

Example query

The following example parses a JSON object string and expands a list of field events.


fields jsonParse(@message) as json_message 
| unnest json_message.events into event

Example query

The following example flattens a list and then filters out items.


fields jsonParse(@message) as js 
| unnest js.accounts into account 
| filter account.type = "internal"

Example query

The following example flattens a list for aggregation.


fields jsonParse(trimmedData) as accounts 
| unnest accounts into account 
| stats sum(account.droppedSpans) as n by account.accountId 
| sort n desc 
| limit 10

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

unmask

Boolean, comparison, numeric, datetime, and other functions