Extract first array element after split for grouping

[patsevanton]

Is your question related to a specific component?

LogsQL

Describe the question in detail

Hello,

I have the following LogsQL query that splits logs from the nginx-log-generator container by "?" in the _msg field:

kubernetes.container_name: "nginx-log-generator" | split "?" from _msg

This produces logs like:

2025-12-30 09:43:30.254522801 ["/api/v1/users","RequestId=1ab2c345-d6e7-4890-b1c2-d3e4f5a6b7c8"]
2025-12-30 09:43:29.255310492 ["/api/v1/users","RequestId=123e4567-e89b-12d3-a456-426614174000"]
2025-12-30 09:43:28.255173279 ["/api/v1/users","RequestId=1ab2c345-d6e7-4890-b1c2-d3e4f5a6b7c8"]

The split creates an array in a field (likely _msg[0] or similar), where the first element is the path like "/api/v1/users".

Question: How can I extract just the first element of this array (e.g. "/api/v1/users") into a new field, so I can then group by it with stats by (path) or similar?
​

For example, something like:

... | split "?" from _msg | extract_first_array_element as path | stats by (path) count()

I've checked the docs for split, unroll, unpack_json, extract, but couldn't find a direct way to pick the first array item after split. Is there a pipe or function for this?
​

Key concepts docs

• VictoriaLogs key concepts - https://docs.victoriametrics.com/victorialogs/keyconcepts/
• LogsQL - https://docs.victoriametrics.com/victorialogs/logsql/

[withlin]

hi @patsevanton

it should that there is no dedicated array index pipe, but you can extract the first item from the split result or directly extract the part before the question mark from _msg.

can u try bellow logsql?

kubernetes.container_name:"nginx-log-generator"
  | split "?" from _msg as parts
  | extract '["<path>"' from parts
  | stats by (path) count()

[patsevanton]

And how do I get the second element?

please add example extract '[""' from parts to https://docs.victoriametrics.com/victorialogs/logsql/#extract-pipe

[withlin]

And how do I get the second element?

kubernetes.container_name:"nginx-log-generator"
  | split "?" from _msg as parts
  | extract '["<path>","<request_id>"' from parts
  | stats by (path) count()

please add example extract '[""' from parts to https://docs.victoriametrics.com/victorialogs/logsql/#extract-pipe

will PR later

[patsevanton]

It would be nice to add a similar example in https://docs.victoriametrics.com/victorialogs/logsql/#extract-pipe

I'm thinking of closing the issue after adding the fix to the documentation.

[withlin]

hi @patsevanton already PR to fixed that. still waiting approve

[valyala]

@patsevanton , if you need extracting the substring in front of ? char from some field, them it is better from performance and readability PoV to use extract pipe. For example, the following LogsQL query extracts url without query args from the url field across logs for the last 5 minutes, and puts it into url_without_query_args field:

_time:5 | extract "<url_without_query_args>?" from url

See extract pipe docs for details.

If you need to extract query args from the url field into query_args field, then use the following query:

_time:5m | extract "?<query_args>" from url

As for extracting string items from the given position of JSON array (which can be generated by
split pipe), then just use the following pattern in the extract pipe:

_time:5m | extract "[<first_item>,<second_item>,<_>,<fourth_item>"

Note that you don't need specifying quotes inside the pattern because the extract pipe automatically matches quoted JSON strings - this is documented at https://docs.victoriametrics.com/victorialogs/logsql/#format-for-extract-pipe-pattern .

Closing this question as answered. I don't think the answer must be added to the LogsQL docs, since it is quite obvious.