Important
This function is considered experimental and under active development and should not be used in production.
The function must be enabled using the feature flag ArrayFunctions. See Enabling & Disabling Feature Flags.
Computes an aggregate value for each array element with the same index.
Parameter | Type | Required | Default | Description |
---|---|---|---|---|
array [a] | string | required | The prefix of the array in LogScale, for example for events with fields incidents[0], incidents[1], ... this would be incidents . | |
as | string | optional[b] | _reduceColumn | Name of the output array. |
function | string | required | Aggregate function to use (for example max() ). | |
var | string | required | Placeholder field name to use for array elements in the aggregate function. | |
[b] Optional parameters use their default value unless explicitly set |
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:reduceColumn("value[]",var="value",function="value")
and:
logscalearray:reduceColumn(array="value[]",var="value",function="value")
These examples show basic structure only; full examples are provided below.
If, for example, all events contain arrays with the time taken for 3 different tasks, the query
array:reduceColumn(times, var=x,function=[avg(x), max(x)])
will compute the maximum and average time for each task.
If function
is an
aggregator that produces more than one event, such as
groupBy()
, the output of
array:reduceColumn()
will contain the same number of
events as the maximum number of events produced in a column. The n'th
event will contain an array with the values from the n'th event in all
columns having an n'th event. This can lead to unreliable ordering of the
output if the internal aggregate does not output ordered events (such as
groupBy()
).
array:reduceColumn()
Examples
Find the maximum time for each place in the array. Given two events with arrays:
times=[1, 2, 3]
times=[5, 1, 0]
with the function:
maxTimes := array:reduceColumn(times, var=x, function={time := max(x)})
the result would be:
maxTimes[0].time = 5 |
---|
maxTimes[1].time = 2 |
maxTimes[2].time = 3 |