set_has_element returns true when a dynamic array contains a specific element and false when it does not. Use it to perform fast membership checks on values that you have already aggregated into a set with functions such as make_set.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk, you usually call in for scalar membership or use multivalue functions such as mvfind for arrays. set_has_element plays the role of those helpers after you build a multivalue field with stats values.
index=web
| stats values(uri) AS uris BY id
| where "/checkout" in uris
Standard SQL has no built-in array type, but dialects that implement arrays (for example PostgreSQL) use the ANY or member of operators. set_has_element is the APL counterpart and is applied after you build an array with ARRAY_AGG equivalents such as make_set.
SELECT   id
FROM     sample_http_logs
GROUP BY id
HAVING   'US' = ANY(ARRAY_AGG(country));

Usage

Syntax

set_has_element(set, value)

Parameters

NameTypeDescription
setdynamicThe array to search.
valuescalarThe element to look for. Accepts long, real, datetime, timespan, string, bool.

Returns

A bool that is true when value exists in set and false otherwise.

Example

Use set_has_element to determine if a set contains a specific value. Query 
['sample-http-logs']
| extend hasElement = set_has_element(dynamic([1, 2, 3]), 2)
Run in Playground Output
_timehasElement
May 22, 11:42:52true
  • set_difference: Returns elements in the first array that are not in the second. Use it to find exclusions.
  • set_union: Returns the union of two or more sets. Use it when you need any element that appears in at least one set instead of every set.