Important

This function is considered experimental and under active development and should not be used in production.

The function must be enabled using the feature flag ArrayFunctions. See Enabling & Disabling Feature Flags.

Computes an aggregated value of an array on all events.

ParameterTypeRequiredDefault ValueDescription
array[a]stringrequired  The prefix of the array in LogScale, for example, for events with fields incidents[0], incidents[1], ... this would be incidents.
asstringoptional[b]_reduceRow Name of the output array.
functionfunctionrequired  Aggregate function to use (for example, max()). Must be an aggregate function that outputs a single event with a single field.
varstringrequired  Placeholder field name to use for array element to use in aggregate function.

[a] The parameter name array can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

Only aggregate functions that return a single event with a single field (such as avg(), count(), sum(), max() etc.) are allowed as the function argument.

The function cannot be join() or groupBy().

Click + next to an example below for to get the full details.

Calculate Average of Field Values in an Array

Calculate Average of Field Values in a flat array using the array:reduceRow() function

Query
logscale
array:reduceRow("ages[]", var=x, function=avg(x))
Introduction

The array:reduceRow() function can be used together with the aggregate function avg() as the function argument to calculate the average of field values in a flat array. In this example, the array:reduceRow() function is used to calculate the average age of the field ages and return the result in a field named _reduceRow._avg.

Example incoming data might look like this:

ages[0]ages[1]ages[2]
163264
153045
124
895767

Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    array:reduceRow("ages[]", var=x, function=avg(x))

    Produces two events, calculating the average value across the ages[] array for each event. The results are placed into the _avg field for each new event.

  3. Event Result set.

Summary and Results

The query is used to calculate averages for a given array for each event and is a shorthand version of using array:eval() specifically for processing each event.

Sample output from the incoming example data:

ages[0]ages[1]ages[2]_avg
16326437.333
15304530
1242.67
89576771

Note that the evaluation is per event, for example per row of the overall table of values across the array over all events. To calculate values across the column of values, use array:reduceColumn().