pack_dictionary
This page explains how to use the pack_dictionary function in APL.
Use the pack_dictionary function in APL to construct a dynamic property bag (dictionary) from a list of keys and values. The resulting dictionary maps each specified key to its corresponding value and allows you to store key-value pairs in a single column for downstream operations like serialization, custom grouping, or structured export.
pack_dictionary is especially useful when you want to:
- Create flexible data structures for export or transformation.
- Group dynamic sets of key-value metrics or attributes into a single column.
- Combine multiple scalar fields into a single dictionary for post-processing or output.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL users
Splunk SPL users
While SPL doesn’t have a direct equivalent of pack_dictionary, you can simulate similar behavior using the eval command and mvzip or mvmap to construct composite objects. In APL, pack_dictionary is a simpler and more declarative way to produce key-value structures inline.
ANSI SQL users
ANSI SQL users
ANSI SQL lacks built-in support for dynamic dictionaries. You typically achieve similar functionality by manually assembling JSON strings or using vendor-specific extensions (like PostgreSQL’s jsonb_build_object). In contrast, APL provides a native and type-safe way to construct dictionaries using pack_dictionary.
Usage
Syntax
Parameters
| Name | Type | Description |
|---|---|---|
| keyN | string | A constant string that represents a dictionary key. |
| valueN | scalar | A scalar value to associate with the corresponding key. |
- The number of arguments must be even.
- Keys must be constant strings.
- Values can be any scalar type.
Returns
A dynamic object that represents a dictionary where each key maps to its associated value.
Use case examples
Use pack_dictionary to store request metadata in a compact format for structured inspection or export.
Query
Output
| _time | id | request_info |
|---|---|---|
| 2025-06-18T14:35:00Z | user42 | { "method": "GET", "uri": "/home", "status": "200", "duration": 82 } |
This example creates a single request_info column that contains key HTTP request data as a dictionary, simplifying downstream analysis or visualization.
Use pack_dictionary to store request metadata in a compact format for structured inspection or export.
Query
Output
| _time | id | request_info |
|---|---|---|
| 2025-06-18T14:35:00Z | user42 | { "method": "GET", "uri": "/home", "status": "200", "duration": 82 } |
This example creates a single request_info column that contains key HTTP request data as a dictionary, simplifying downstream analysis or visualization.
Use pack_dictionary to consolidate trace metadata into a structured format for export or debugging.
Query
Output
| _time | duration | trace_metadata |
|---|---|---|
| 2025-06-18T14:40:00Z | 00:00:01 | { "trace_id": "abc123", "span_id": "def456", "service": "checkoutservice", "kind": "server", "status_code": "OK" } |
This query generates a trace_metadata column that organizes important trace identifiers and status into a single dynamic field.
Use pack_dictionary to package request metadata along with geographic information for audit logging or incident forensics.
Query
Output
| _time | id | request_info |
|---|---|---|
| 2025-06-18T14:20:00Z | user88 | { "method": "POST", "uri": "/login", "status": "403", "geo": { "city": "Berlin", "country": "DE" } } |
This example nests geographic context inside the main dictionary to create a structured log suitable for security investigations.
List of related functions
- pack_array: Use this to combine scalar values into an array. Use
pack_arraywhen you don’t need named keys and want positional data instead. - bag_keys: Returns the list of keys in a dynamic dictionary. Use this to inspect or filter contents created by
pack_dictionary. - bag_pack: Expands a dictionary into multiple columns. Use it to revert the packing performed by
pack_dictionary.