Finds the smallest number for the specified field over a set of events.

ParameterTypeRequiredDefault ValueDescription
asstringoptional[a] _min Name of output field.
field[b]stringrequired   Field to extract a number from.
typestringoptional[a]   description

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

min() Syntax Examples

Return what was the minimum responsetime:

logscale
min(responsetime)

Filter for events with a responsetime greater than 5 seconds:

logscale
min(responsetime)
| _min> 5

min()Examples

Click + next to an example below to get the full details.

Alert Query for Parsers Issues

Reporting errors

Query
logscale
#type=humio #kind=logs
| loglevel=WARN
| class = c.h.d.ParserLimitingJob
| "Setting reject ingest for"
| groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )
| timeDiff:=_max-_min
| timeDiff > 300000 and _count > 10
Introduction

This alert query tries to balance reacting when there are problems with parsers, without being too restrictive.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    #type=humio #kind=logs

    Filters on all logs across all hosts in the cluster.

  3. logscale
    | loglevel=WARN

    Filters for all events where the loglevel is equal to WARN.

  4. logscale
    | class = c.h.d.ParserLimitingJob

    Assigns the value c.h.d.ParserLimitingJob to the class for the logs having the loglevel value WARN.

  5. logscale
    | "Setting reject ingest for"

    Filters for events containing the string Setting reject ingest for. This is the error message generated when ingested events are rejected.

  6. logscale
    | groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )

    Groups the returned result by the field id, makes a count on the events and returns the minimum timestamp and maximum timestamp. This returns a new event set, with the fields id, _count, _min, and _max.

  7. logscale
    | timeDiff:=_max-_min

    Calculates the time difference between the maximum timestamp values and the minimum timestamp values and returns the result in a new field named timeDiff.

  8. logscale
    | timeDiff > 300000 and _count > 10

    Returns all events where the values of timeDiff is greater that 300000 and where there are more than 10 occurrences.

  9. Event Result set.

Summary and Results

This query is used to set up alerts for parsers issues. Setting up alerts for parsers issues will allow to proactively reach out to customers where their queries are being throttled and help them.