Here is an idea: Select events in which list{}.name has one unique value "Hello", and has a value of "code" as the first element of list{}.type. | where mvindex('list{}.type', 0) == "code" AND 'l...
See more...
Here is an idea: Select events in which list{}.name has one unique value "Hello", and has a value of "code" as the first element of list{}.type. | where mvindex('list{}.type', 0) == "code" AND 'list{}.name' == "Hello" AND mvcount(mvdedup('list{}.name')) == 1 However, given that list is an array, selecting only the first element for matching may not be what the use case demands. (Work with developers to figure out what semantics array order may convey.) Here is one to select any element with value "code". | where 'list{}.type' == "code" AND 'list{}.name' == "Hello" AND mvcount(mvdedup('list{}.name')) == 1 Here is an emulation of your mock data for you to play with and compare with real data | makeresults
| fields - _*
| eval data = mvappend("{
\"list\": [
{\"name\": \"Hello\", \"type\": \"code\"},
{\"name\": \"Hello\", \"type\": \"document\"}
]
}",
"{
\"list\": [
{\"name\": \"Hello\", \"type\": \"code\"},
{\"name\": \"World\", \"type\": \"document\"}
]
}",
"{
\"list\": [
{\"name\": \"Hello\", \"type\": \"document\"},
{\"name\": \"Hello\", \"type\": \"document\"}
]
}")
| mvexpand data
| rename data AS _raw
| spath
``` data emulation above ``` With this data, output is the same for both variants _raw list{}.name list{}.type { "list": [ {"name": "Hello", "type": "code"}, {"name": "Hello", "type": "document"} ] } Hello Hello code document