Skip to content

setIntersection - The intersection of two arrays

setIntersection returns the intersection of the two arrays.

NOTE: Both arrays are treated as Sets which means

  • Duplicates are removed from both arrays
  • Order is not preserved in the resulting array
  • null is treated as an empty set.

Syntax

setIntersection(array1: array<T>, array2: array<T>): array<T>

Arguments

Name Type Required Description
array1 array of type T true T must be either string, bool, number, interval, timestamp, regexp or enum
array2 array of type T true T must be either string, bool, number, interval, timestamp, regexp or enum

Example - Comparing IPs to a block list

Consider the following documents:

{
    "ip_address": "156.76.87.4",
    "path": "/home"
},
{
    "ip_address": "156.76.87.4",
    "path": "/checkout"
},
{
    "ip_address": "156.76.12.4",
    "path": "/home"
},
{
    "ip_address": "156.76.1.4",
    "path": "/home"
}

We want to see if any of the IP addresses listed in the above traffic, are in a block list. First, we'll use a collect aggregation to create a new array.

groupby path collect(ip_address) as ip_addresses

This results in the following documents:

{
    "path": "/home",
    "ip_addresses": ["156.76.87.4", "156.76.12.4", "156.74.1.4"]
},
{
    "path": "/checkout",
    "ip_addresses": ["156.76.87.4"]
}

We now know which IP addresses accessed which paths. We can now compare them against our known block list:

create unauthorized_ip_addresses from ip_addresses.setDiff(["156.76.12.4", "156.76.87.4"])

This results in the following documents:

{
    "path": "/home",
    "ip_addresses": ["156.76.87.4", "156.76.12.4", "156.74.1.4"],
    "unauthorized_ip_addresses": ["156.76.87.4", "156.76.12.4"]
},
{
    "path": "/checkout",
    "ip_addresses": ["156.76.87.4"],
    "unauthorized_ip_addresses": []
}

As we can see, the path value /home has been accesed by two IP addresses that are present on our block list.