Computes a value from all events and array elements of the specified array.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
array [a] | string | required | A string in the format of a valid array followed by [] . A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[] . | |
function | string | required | The function to be applied to each element. | |
var | string | required | Array element field name to use in the function. | |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:reduceAll("value[]",var="value",function="value")
and:
logscalearray:reduceAll(array="value[]",var="value",function="value")
These examples show basic structure only.
Syntactically, the function is similar to:
split(array)
| function(array)
but is more efficient.
The function applies to all the values across multiple events.
For example, with three events each containing an array a[]
such that:
a[0] | a[1] | a[2] |
---|---|---|
1 | 4 | 2 |
3 | 5 | 2 |
5 | 2 | 3 |
Where the rows of a[]
across all events are:
[1, 4, 2]
[3, 5, 2]
[5, 2, 3]
Running:
array:reduceAll("a[]", function=avg(x), var=x)
would result in the output:
_avg=3
since x
would take the values of:
{1, 4, 2, 3, 5, 2, 5, 2, 3}
array:reduceAll()
Examples
Compute an Aggregated Value of an Array on All Events
Compute an aggregated value of a flat array on all events using the array:reduceAll()
function
Query
array:reduceAll(values[], var=x, function=max(x))
Introduction
The array:reduceAll()
function computes a
value across all events and array elements of the specified array.
The reduce()
method returns a single value:
the function's accumulated result. In this example, the aggregate
function max()
is used to output a single
event with a single field.
Step-by-Step
Starting with the source repository events.
- logscale
array:reduceAll(values[], var=x, function=max(x))
Computes the maximum value over all the values within the array values[] by using the
max()
on each element, and then across each event in the event set. Event Result set.
Summary and Results
The query is used to compute a value from all events and array
elements of a specified array. The reduce()
method is recommended, when you need to have a single value
returned from iterating over your array. Only aggregate
functions that return a single event with a single field (such
as avg()
, count()
,
sum()
, max()
etc.) are
allowed as the
function
argument.