The array_length function in APL (Axiom Processing Language) returns the length of an array. You can use this function to analyze and filter data by array size, such as identifying log entries with specific numbers of entries or events with multiple tags. This function is useful for analyzing structured data fields that contain arrays, such as lists of error codes, tags, or IP addresses.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, you might use the mvcount function to determine the length of a multivalue field. In APL, array_length serves the same purpose by returning the size of an array within a column.
| eval array_size = mvcount(array_field)
In ANSI SQL, you would use functions such as CARDINALITY or ARRAY_LENGTH (in databases that support arrays) to get the length of an array. In APL, the array_length function is straightforward and works directly with array fields in any dataset.
SELECT CARDINALITY(array_field) AS array_size
FROM sample_table

Usage

Syntax

array_length(array_expression)

Parameters

  • array_expression: An expression representing the array to measure.

Returns

The function returns an integer representing the number of elements in the specified array.

Use case example

In OpenTelemetry traces, array_length can reveal the number of events associated with a span. Query 
['otel-demo-traces']
| take 50
| extend event_count = array_length(events)
| where event_count > 2
Run in Playground Output
_timetrace_idspan_idservice.nameevent_count
2024-10-28T12:30:00trace_abc123span_001frontend3
This query finds spans associated with at least three events.
  • array_slice: Extracts a subset of elements from an array.
  • array_concat: Combines multiple arrays.
  • array_shift_left: Shifts array elements one position to the left, moving the first element to the last position.