Aggregate Query Functions
LogScale's aggregate query functions provide grouping and/or aggregation of event data.
Table: Aggregate Query Functions
Function | Default Argument | Availability | Description |
---|---|---|---|
array:intersection(array, [as]) | array | Determines the set intersection of array values over input events | |
array:reduceAll(array, function, var) | array | Computes a value from all events and array elements of the specified array. | |
array:reduceColumn(array, [as], function, var) | array | Computes an aggregate value for each array element with the same index. | |
array:union(array, [as]) | array | Determines the set union of array values over input events. | |
avg([as], field) | field | Calculates the average for a field of a set of events. | |
bucket([buckets], [field], [function], [limit], [minSpan], [span], [timezone], [unit]) | span |
Extends the groupBy() function for grouping
by time.
| |
callFunction([as], field, function) | function | Calls the named function on a field over a set of events. | |
collect(fields, [limit], [multival], [separator]) | fields | Collects fields from multiple events into one event. | |
count([as], [distinct], [field]) | field | Counts given events. | |
counterAsRate([as], field) | field | Calculates the rate for a counter field. | |
fieldstats([limit]) | Retrieves stats about fields. | ||
groupBy(field, [function], [limit]) | field | Groups events by specified fields and executes aggregate functions on each group. | |
head([limit]) | limit | Finds the oldest events. | |
linReg([prefix], x, y) | Computes linear relationship model between two variables using least-squares fitting. | ||
percentile([accuracy], [as], field, [percentiles]) | field | Finds one event with a field for each percentile specified. | |
rdns([as], field, [server]) | field | Events using RDNS lookup. | |
sankey(source, target, [weight]) | Produces data compatible with Sankey widget. | ||
selectFromMax(field, include) | field | Selects event with the largest value for the specified field. | |
selectFromMin(field, include) | field | Selects event with the smallest value for the specified field. | |
selectLast(fields) | fields | Specify fields to select from events, keeping value of most recent event for each field. | |
series(collect, [endmatch], [maxduration], [maxpause], [memlimit], [separator], [startmatch]) | collect | Collects a series of values for selected fields from multiple events into one or more events. | |
session([function], [maxpause]) | function | Collects events into sessions, and aggregates them. | |
setField(target, value) | introduced in 1.127.0 | Sets fields whose names are not known but computed from an expression. | |
sort([field], [limit], [order], [reverse], [type]) | field | Sorts events by their fields. | |
stats([function]) | function | Used to compute multiple aggregate functions over the input. | |
sum([as], field) | field | Calculates the sum for a field over a set of events. | |
table(fields, [limit], [order], [reverse], [sortby], [type]) | fields | Used to create a widget to present the data in a table. | |
tail([limit]) | limit | Finds the newest events. | |
timeChart([buckets], [function], [limit], [minSpan], [series], [span], [timezone], [unit]) | series | Used to draw a linechart where the x-axis is time. | |
top([as], [error], field, [limit], [max], [percent], [rest], [sum]) | field | Finds the top results based on a given field. | |
transpose([column], [header], [limit], [pivot]) | pivot | Transposes a query results set by creating an event for each attribute. | |
window([buckets], [function], [span]) | function | Computes aggregate functions over a sliding window of data. | |
worldMap([ip], [lat], [lon], [magnitude], [precision]) | Used to produce data compatible with the World Map widget. |
The following functions are supported only for testing queries and parsers.
Table: Aggregate (for testing) Query Functions
Function | Default Argument | Availability | Description |
---|---|---|---|
createEvents(rawstring) | rawstring | Generates temporary events as part of the query. |