flatten
import { Aside } from ‘@astrojs/starlight/components’;
The flatten command converts a struct or object field into individual top-level fields within a document. Each key in the struct becomes its own column. The resulting fields are ordered lexicographically by their original key names.
Syntax
Section titled “Syntax”flatten <field> [as (<alias-list>)]Arguments
Section titled “Arguments”Required
Section titled “Required”| Argument | Description |
|---|---|
<field> | The struct or object field to flatten. Only object and nested field types are supported. |
Optional
Section titled “Optional”| Argument | Default | Description |
|---|---|---|
as (<alias-list>) | Original key names | Comma-separated aliases for the flattened fields. Must be enclosed in parentheses if more than one alias. The number of aliases must match the number of keys, and they map in lexicographic order of the original keys. |
Usage notes
Section titled “Usage notes”- Do not apply
flattento array fields. Use expand to split arrays into rows first, thenflatteneach resulting object. - When a field contains a nested array, only the first element of the array is flattened.
- The
flattencommand may not work as expected if flattened fields are hidden. For example,source=logs-otel-v1* | fields instrumentationScope | flatten instrumentationScopefails because sub-fields likeinstrumentationScope.nameare hidden afterfields instrumentationScope. Instead, usesource=logs-otel-v1* | flatten instrumentationScope. - Aliases must follow the lexicographic order of original keys. For a struct with keys
b,c,Z, provide aliases in the orderZ,b,c(uppercase sorts before lowercase).
Examples
Section titled “Examples”Flatten an object field
Section titled “Flatten an object field”Flatten the instrumentationScope object from OTel log records into its component fields (name, version, attributes):
source = logs-otel-v1*| flatten instrumentationScopeFlatten with aliases
Section titled “Flatten with aliases”Rename flattened fields using aliases (in lexicographic order of original keys: attributes, name, version):
source = logs-otel-v1*| flatten instrumentationScope as (scope_attrs, scope_name, scope_version)Flatten after filtering
Section titled “Flatten after filtering”Filter for error logs first, then flatten to reduce data volume before restructuring:
source = logs-otel-v1*| where severityText = 'ERROR'| flatten instrumentationScopeExtended examples
Section titled “Extended examples”Flatten OTel span attributes for analysis
Section titled “Flatten OTel span attributes for analysis”OTel span documents store HTTP metadata in nested objects. Flatten them for easier querying:
source = otel-v1-apm-span-*| flatten attributes| where `http.status_code` >= 400| stats count() as error_count by serviceName, `http.status_code`Expand and flatten a nested array of objects
Section titled “Expand and flatten a nested array of objects”Combine expand and flatten to work with arrays of structured objects. First expand the array into rows, then flatten each object:
source = logs-otel-v1*| expand resource.attributes as attr| flatten attr| sort - key