Computes a value from all events and array elements of the specified array.
Function Traits: Aggregate
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array[a] | string | required | A string in the format of a valid array followed by []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
function | string | required | The function to be applied to each element. | |
var | string | required | Array element field name to use in the function. | |
The parameter name for array can be omitted; the following forms are equivalent:
array:reduceAll("value")and:
array:reduceAll(array="value")Syntactically, the function is similar to:
split(array)
| function(array)but is more efficient.
The array:reduceAll() function applies to all the
values across multiple events.
For example, with three events each containing an array a[]
such that:
Event 1
a[0]=1, a[1]=4, a[2]=2Event 2
a[0]=3, a[1]=5, a[2]=2Event 3
a[0]=5, a[1]=2, a[2]=3
where the rows of a[] across all events are:
[1, 4, 2], [3, 5, 2], [5, 2, 3]and the columns across all the events are
[1, 3, 5], [4, 5, 2], [2, 2, 3]
Running:
array:reduceAll("a[]", function=avg(x), var=x)would result in the output:
_avg=3
since x would take the values of:
{1, 4, 2, 3, 5, 2, 5, 2, 3}array:reduceAll() Examples
Compute the maximum value of all values in an array named values in all events:
array:reduceAll(values[], var=x, function=max(x))Group by array values and the non-array field type
array:reduceAll(values[], var=x, function=groupby([type, x]))