Add bag functions (#297)

Author: tothmano

apl/scalar-functions/array-functions.mdx

@@ -23,6 +23,9 @@ The table summarizes the array functions available in APL.
 | [array_slice](/apl/scalar-functions/array-functions/array-slice)             | Extracts a slice of a dynamic array.                                                                                |
 | [array_split](/apl/scalar-functions/array-functions/array-split)             | Splits an array to multiple arrays according to the split indices and packs the generated array in a dynamic array. |
 | [array_sum](/apl/scalar-functions/array-functions/array-sum)                 | Calculates the sum of elements in a dynamic array.                                                                  |
+| [bag_has_key](/apl/scalar-functions/array-functions/bag-has-key)                 | Checks whether a dynamic property bag contains a specific key.                                                                  |
+| [bag_keys](/apl/scalar-functions/array-functions/bag-keys)                 | Returns all keys in a dynamic property bag.                                                                  |
+| [bag_pack](/apl/scalar-functions/array-functions/bag-pack)                 | Converts a list of key-value pairs to a dynamic property bag.                                                                  |
 | [isarray](/apl/scalar-functions/array-functions/isarray)                     | Checks whether a value is an array.                                                                                 |
 | [pack_array](/apl/scalar-functions/array-functions/pack-array)               | Packs all input values into a dynamic array.                                                                        |
 | [strcat_array](/apl/scalar-functions/array-functions/strcat-array)               | Takes an array and returns a single concatenated string with the array’s elements separated by the specified delimiter. |
@@ -31,4 +34,4 @@ The table summarizes the array functions available in APL.
 
 Most array functions accept a dynamic array as their parameter. Dynamic arrays allow you to add or remove elements. You can change a dynamic array with an array function.
 
-A dynamic array expands as you add more elements. This means that you don’t need to determine the size in advance.
+A dynamic array expands as you add more elements. This means that you don’t need to determine the size in advance.

apl/scalar-functions/array-functions/bag-has-key.mdx

@@ -0,0 +1,156 @@
+---
+title: bag_has_key
+description: 'This page explains how to use the bag_has_key function in APL.'
+---
+
+Use the `bag_has_key` function in APL to check whether a dynamic property bag contains a specific key. This is helpful when your data includes semi-structured or nested fields encoded as dynamic objects, such as JSON-formatted logs or telemetry metadata.
+
+You often encounter property bags in observability data where log entries, spans, or alerts carry key–value metadata. Use `bag_has_key` to filter, conditionally process, or join such records based on the existence of specific keys, without needing to extract the values themselves.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+In Splunk SPL, you often check whether a key exists in a JSON object using `spath` and conditional logic. APL simplifies this with `bag_has_key`, which returns a boolean directly and avoids explicit parsing.
+
+<CodeGroup>
+```sql Splunk example
+| eval hasKey=if(isnull(spath(data, "keyName")), false, true)
+````
+
+```kusto APL equivalent
+['sample-http-logs']
+| where bag_has_key(dynamic_field, 'keyName')
+```
+
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+ANSI SQL doesn’t include native support for property bags or dynamic fields. You typically use JSON functions to access keys in JSON-formatted strings. In APL, dynamic fields are first-class, and `bag_has_key` provides direct support for key existence checks.
+
+<CodeGroup>
+```sql SQL example
+SELECT *
+FROM logs
+WHERE JSON_EXTRACT(json_column, '$.keyName') IS NOT NULL
+```
+
+```kusto APL equivalent
+['sample-http-logs']
+| where bag_has_key(dynamic_field, 'keyName')
+```
+
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+bag_has_key(bag: dynamic, key: string) 
+```
+
+### Parameters
+
+| Name  | Type      | Description                                                      |
+| ----- | --------- | ---------------------------------------------------------------- |
+| `bag` | `dynamic` | A dynamic value representing a property bag (e.g., JSON object). |
+| `key` | `string`  | The key to check for within the property bag.                    |
+
+### Returns
+
+Returns a `bool` value:
+
+- `true` if the specified key exists in the property bag
+- `false` otherwise
+
+## Use case examples
+
+<Tabs>
+<Tab title="Log analysis">
+
+Use `bag_has_key` to filter log entries that include a specific metadata key embedded in a dynamic object.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| extend metadata = bag_pack('source', 'cdn', 'env', 'prod')
+| where bag_has_key(metadata, 'env')
+| project _time, id, method, uri, status, metadata
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%20%7C%20extend%20metadata%20%3D%20bag_pack%28%27source%27%2C%20%27cdn%27%2C%20%27env%27%2C%20%27prod%27%29%20%7C%20where%20bag_has_key%28metadata%2C%20%27env%27%29%20%7C%20project%20_time%2C%20id%2C%20method%2C%20uri%2C%20status%2C%20metadata%22%7D)
+
+**Output**
+
+| _time            | id   | method | uri            | status | metadata                      |
+| ----------------- | ---- | ------ | -------------- | ------ | ----------------------------- |
+| 2025-05-27T12:30Z | u123 | GET    | /login         | 200    | \{'source':'cdn','env':'prod'\} |
+| 2025-05-27T12:31Z | u124 | POST   | /cart/checkout | 500    | \{'source':'cdn','env':'prod'\} |
+
+The query filters logs where the synthetic `metadata` bag includes the key `'env'`.
+
+</Tab>
+<Tab title="OpenTelemetry traces">
+
+Use `bag_has_key` to filter spans that include specific dynamic span attributes.
+
+**Query**
+
+```kusto
+['otel-demo-traces']
+| extend attributes = bag_pack('user', 'alice', 'feature_flag', 'beta')
+| where bag_has_key(attributes, 'feature_flag')
+| project _time, trace_id, span_id, ['service.name'], kind, attributes
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B%27otel-demo-traces%27%5D%20%7C%20extend%20attributes%20%3D%20bag_pack%28%27user%27%2C%20%27alice%27%2C%20%27feature_flag%27%2C%20%27beta%27%29%20%7C%20where%20bag_has_key%28attributes%2C%20%27feature_flag%27%29%20%7C%20project%20_time%2C%20trace_id%2C%20span_id%2C%20%5B%27service.name%27%5D%2C%20kind%2C%20attributes%22%7D)
+
+**Output**
+
+| _time            | trace_id | span_id | ['service.name'] | kind   | attributes                              |
+| ----------------- | --------- | -------- | ----------------- | ------ | --------------------------------------- |
+| 2025-05-27T10:02Z | abc123    | span567  | frontend          | client | \{'user':'alice','feature_flag':'beta'\} |
+
+The query selects spans with dynamic `attributes` bags containing the `'feature_flag'` key.
+
+</Tab>
+<Tab title="Security logs">
+
+Use `bag_has_key` to identify HTTP logs where the request metadata contains sensitive audit-related keys.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| extend audit_info = bag_pack('action', 'delete', 'reason', 'admin_override')
+| where bag_has_key(audit_info, 'reason')
+| project _time, id, uri, status, audit_info
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%20%7C%20extend%20audit_info%20%3D%20bag_pack%28%27action%27%2C%20%27delete%27%2C%20%27reason%27%2C%20%27admin_override%27%29%20%7C%20where%20bag_has_key%28audit_info%2C%20%27reason%27%29%20%7C%20project%20_time%2C%20id%2C%20uri%2C%20status%2C%20audit_info%22%7D)
+
+**Output**
+
+| _time            | id   | uri           | status | audit_info                                    |
+| ----------------- | ---- | ------------- | ------ | ---------------------------------------------- |
+| 2025-05-27T13:45Z | u999 | /admin/delete | 403    | \{'action':'delete','reason':'admin_override'\} |
+
+The query returns only logs where the `audit_info` bag includes the `'reason'` key, indicating administrative override events.
+
+</Tab>
+</Tabs>
+
+## List of related functions
+
+- [bag_keys](/apl/scalar-functions/array-functions/bag-keys): Returns all keys in a dynamic property bag. Use it when you need to enumerate available keys.
+- [bag_pack](/apl/scalar-functions/array-functions/bag-pack): Converts a list of key-value pairs to a dynamic property bag. Use when you need to build a bag.

apl/scalar-functions/array-functions/bag-keys.mdx

@@ -0,0 +1,161 @@
+---
+title: bag_keys
+description: 'This page explains how to use the bag_keys function in APL.'
+---
+
+Use the `bag_keys` function in APL to extract the keys of a dynamic (bag) object as an array of strings. This is useful when you want to inspect or manipulate the structure of a dynamic field—such as JSON-like nested objects—without needing to know its exact schema in advance.
+
+Use `bag_keys` when you’re working with semi-structured data and want to:
+
+- Discover what properties are present in a dynamic object.
+- Iterate over the keys programmatically using other array functions.
+- Perform validation or debugging tasks to ensure all expected keys exist.
+
+This function is especially helpful in log analytics, observability pipelines, and security auditing, where dynamic properties are often collected from various services or devices.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+In Splunk SPL, you typically interact with JSON-like fields using the `spath` command or use `keys(_raw)` to retrieve field names. In APL, `bag_keys` serves a similar purpose by returning an array of keys from a dynamic object.
+
+<CodeGroup>
+```sql Splunk example
+| eval key_list=keys(data_field)
+````
+
+```kusto APL equivalent
+datatable(data: dynamic)
+[
+    dynamic({ "ip": "127.0.0.1", "status": "200", "method": "GET" })
+]
+| extend keys = bag_keys(data)
+```
+
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+ANSI SQL doesn’t have native support for dynamic objects or JSON key introspection in the same way. However, some SQL dialects (like PostgreSQL or BigQuery) provide JSON-specific functions for extracting keys. `bag_keys` is the APL equivalent for dynamically introspecting JSON objects.
+
+<CodeGroup>
+```sql SQL example
+SELECT JSON_OBJECT_KEYS(data) FROM logs;
+```
+
+```kusto APL equivalent
+datatable(data: dynamic)
+[
+    dynamic({ "ip": "127.0.0.1", "status": "200", "method": "GET" })
+]
+| extend keys = bag_keys(data)
+```
+
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+bag_keys(bag)
+```
+
+### Parameters
+
+| Name  | Type      | Description                                        |
+| ----- | --------- | -------------------------------------------------- |
+| `bag` | `dynamic` | The dynamic object whose keys you want to extract. |
+
+### Returns
+
+An array of type `string[]` containing the names of the keys in the dynamic object. If the input is not a dynamic object, the function returns `null`.
+
+## Use case examples
+
+<Tabs>
+<Tab title="Log analysis">
+
+Use `bag_keys` to audit dynamic metadata fields in HTTP logs where each record contains a nested object representing additional request attributes.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| extend metadata = dynamic({ 'os': 'Windows', 'browser': 'Firefox', 'device': 'Desktop' })
+| extend key_list = bag_keys(metadata)
+| project _time, uri, metadata, key_list
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20extend%20metadata%20%3D%20dynamic(%7B%20'os'%3A%20'Windows'%2C%20'browser'%3A%20'Firefox'%2C%20'device'%3A%20'Desktop'%20%7D)%20%7C%20extend%20key_list%20%3D%20bag_keys(metadata)%20%7C%20project%20_time%2C%20uri%2C%20metadata%2C%20key_list%22%7D)
+
+**Output**
+
+| _time              | uri    | metadata                                         | key_list                    |
+| ------------------- | ------ | ------------------------------------------------ | ---------------------------- |
+| 2025-05-26 12:01:23 | /login | \{os: Windows, browser: Firefox, device: Desktop\} | [‘os’, ‘browser’, ‘device’] |
+
+This query inspects a simulated metadata object and returns the list of its keys, helping you debug inconsistencies or missing fields.
+
+</Tab>
+<Tab title="OpenTelemetry traces">
+
+Use `bag_keys` to examine custom span attributes encoded as dynamic fields within OpenTelemetry trace events.
+
+**Query**
+
+```kusto
+['otel-demo-traces']
+| extend attributes = dynamic({ 'user_id': 'abc123', 'feature_flag': 'enabled' })
+| extend attribute_keys = bag_keys(attributes)
+| project _time, ['service.name'], kind, attributes, attribute_keys
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'otel-demo-traces'%5D%20%7C%20extend%20attributes%20%3D%20dynamic(%7B%20'user_id'%3A%20'abc123'%2C%20'feature_flag'%3A%20'enabled'%20%7D)%20%7C%20extend%20attribute_keys%20%3D%20bag_keys(attributes)%20%7C%20project%20_time%2C%20%5B'service.name'%5D%2C%20kind%2C%20attributes%2C%20attribute_keys%22%7D)
+
+**Output**
+
+| _time              | ['service.name'] | kind   | attributes                                 | attribute_keys                |
+| ------------------- | ----------------- | ------ | ------------------------------------------ | ------------------------------ |
+| 2025-05-26 13:14:01 | frontend          | client | \{user_id: abc123, feature_flag: enabled\} | [‘user_id’, ‘feature_flag’] |
+
+This query inspects the custom span-level attributes and extracts their keys to verify attribute coverage or completeness.
+
+</Tab>
+<Tab title="Security logs">
+
+Use `bag_keys` to list all security-related fields captured dynamically during request monitoring for auditing or compliance.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| extend security_context = dynamic({ 'auth_status': 'success', 'role': 'admin', 'ip': '192.168.1.5' })
+| extend fields = bag_keys(security_context)
+| project _time, status, ['geo.country'], security_context, fields
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20extend%20security_context%20%3D%20dynamic(%7B%20'auth_status'%3A%20'success'%2C%20'role'%3A%20'admin'%2C%20'ip'%3A%20'192.168.1.5'%20%7D)%20%7C%20extend%20fields%20%3D%20bag_keys(security_context)%20%7C%20project%20_time%2C%20status%2C%20%5B'geo.country'%5D%2C%20security_context%2C%20fields%22%7D)
+
+**Output**
+
+| _time              | status | ['geo.country'] | security_context                                     | fields                          |
+| ------------------- | ------ | ---------------- | ----------------------------------------------------- | ------------------------------- |
+| 2025-05-26 15:32:10 | 200    | US               | \{auth_status: success, role: admin, ip: 192.168.1.5\} | [‘auth_status’, ‘role’, ‘ip’] |
+
+This helps you audit security metadata in requests and ensure key fields are present across records.
+
+</Tab>
+</Tabs>
+
+## List of related functions
+
+- [bag_pack](/apl/scalar-functions/array-functions/bag-pack): Converts a list of key-value pairs to a dynamic property bag. Use when you need to build a bag.
+- [bag_has_key](/apl/scalar-functions/array-functions/bag-has-key): Checks whether a dynamic property bag contains a specific key.