feat: Add support for querying nested/array fields

[pulpdrew]

Closes HDX-3113

Summary

This PR adds support for querying nested (array-type) columns with Lucene syntax.

Syntax

Arrays of simple types

• Array is non-empty: Events.Name:* --> notEmpty(Events.Name)
• Array contains element: Events.Name:"error" --> has(Events.Name, 'error')
  • Supports string, numeric, and boolean inner types with has()
  • All other types are cast to string: Events.Timestamp:"2026-02-02 15:19:37.196300098" --> arrayExists(el ->toString(el) = '2026-02-02 15:19:37.196300098, Events.Timestamp)
• Array contains element containing: Events.Name:domain --> arrayExists(el -> el ILIKE '%domain%', Events.Name)

Arrays of Maps

• Array of maps contains map with non-empty key: Events.Attributes.exception.stacktrace:* --> arrayExists(el - > notEmpty (toString (el['exception.stacktrace'])) = 1, Events.Attributes)
• Array of maps contains map with key+value: Events.Attributes.exception.stacktrace:"AggregateError" --> arrayExists(el - > el['exception.stacktrace'] = 'AggregateError', Events.Attributes)
• Array of maps contains map with key containing value: Events.Attributes.exception.stacktrace:"AggregateError" --> arrayExists(el - > el['exception.stacktrace'] ILIKE '%AggregateError%', Events.Attributes)

Arrays of JSON

• Array of JSON contains object with non-empty key: Events.Attributes.message:* --> arrayExists(el - > notEmpty (toString (el.message)) = 1, Events.Attributes)
• Array of JSON contains object with key + value: Events.Attributes.exception.stacktrace:"AggregateError" --> arrayExists(el - > toString (el.exception.stacktrace) = 'AggregateError', Events.Attributes)
• Array of JSON contains object with key containing value: Events.Attributes.exception.stacktrace:AggregateError --> arrayExists(el - > toString (el.exception.stacktrace) ILIKE '%AggregateError%', Events.Attributes)

[changeset-bot]

🦋 Changeset detected

Latest commit: c2e22fc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 4 packages

Name	Type
@hyperdx/common-utils	Patch
@hyperdx/api	Patch
@hyperdx/app	Patch
@hyperdx/otel-collector	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hyperdx-v2-oss-app	Ready	Preview, Comment	Feb 4, 2026 5:35pm

[claude]

PR Review

🔒 CRITICAL: SQL Injection Vulnerability

packages/common-utils/src/queryParser.ts:788-803 - The stringifiedElement variable in renderArrayFieldExpression() is constructed and then embedded directly into SQL template strings without proper escaping.

Issue: Line 791 calls SqlString.format('toString(el)', [SqlString.raw(column)]) which returns a formatted SQL string, then this string is interpolated into another SQL template at lines 797 and 801. This bypasses SqlString's escaping mechanism.

Fix: Don't use SqlString.format for intermediate values. Use plain strings instead:

const stringifiedElement = propertyType === JSDataType.String ? 'el' : 'toString(el)';

The column parameter is already properly escaped when passed to SqlString.format with SqlString.raw(column) at lines 798 and 802.

---

⚠️ Minor Issues

• packages/app/src/SearchInputV2.tsx:77-86 - Missing metadata in useEffect dependency array could cause stale closures → Verify if metadata changes during component lifecycle
• Test coverage looks comprehensive with 387 new test cases ✓

---

Recommendation: Fix the SQL injection issue before merging.

[github-actions]

E2E Test Results

✅ All tests passed • 63 passed • 4 skipped • 835s

Status	Count
✅ Passed	63
❌ Failed	0
⚠️ Flaky	1
⏭️ Skipped	4

Tests ran across 4 shards in parallel.

View full report →

[knudtty]

Apologies for the long review cycle