Important

This function is considered experimental and under active development and should not be used in production.

The function must be enabled using the feature flag ArrayFunctions. See Enabling & Disabling Feature Flags.

Computes an aggregate value for each array element with the same index.

ParameterTypeRequiredDefault ValueDescription
array[a]stringrequired  The prefix of the array in LogScale, for example, for events with fields incidents[0], incidents[1], ... this would be incidents.
asstringoptional[b]_reduceColumn Name of the output array.
functionstringrequired  Aggregate function to use (for example, max()).
varstringrequired  Placeholder field name to use for array elements in the aggregate function.

[a] The argument name array can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

If, for example, all events contain arrays with the time taken for 3 different tasks, the query

logscale
array:reduceColumn(times, var=x,function=[avg(x), max(x)])

will compute the maximum and average time for each task.

If function is an aggregator that produces more than one event, such as groupBy(), the output of array:reduceColumn() will contain the same number of events as the maximum number of events produced in a column. The n'th event will contain an array with the values from the n'th event in all columns having an n'th event. This can lead to unreliable ordering of the output if the internal aggregate does not output ordered events (such as groupBy()).

Compute Aggregate Value for Each Array Element With Same Index

Compute an aggregate value for each array element with the same index using the array:reduceColumn()

Query
logscale
maxTimes := array:reduceColumn(times, var=x, function={time := max(x)})
Introduction

The array:reduceColumn() function can be used to compute an aggregate value for each array element with the same index. In this example, the array:reduceColumn() function is used to find the maximum time for each array element with same index in a flat array.

Example incoming data might look like this:

times[0]times[1]times[2]
123
510
Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    maxTimes := array:reduceColumn(times, var=x, function={time := max(x)})

    Computes the maximum time for each array element with same index in the array and reduces it to one value.

  3. Event Result set.

Summary and Results

The query is used to find the maximum time for each array element with same index in a flat array.

_reduceColumn[0]_reduceColumn[1]_reduceColumn[2]
523

Compute Average Value for Each Array Element With Same Index

Compute an average value for each array element with the same index across multiple events using the array:reduceColumn()

Query
logscale
maxTimes := array:reduceColumn("ages[]", var=x, function=avg(x))
Introduction

The array:reduceColumn() function can be used to compute an average value for each array element with the same index. In this example, the array:reduceColumn() function is used to find the maximum time for each array element with same index in a flat array.

Example incoming data might look like this:

ages[0]ages[1]ages[2]
163264
153045
124
895767
Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    maxTimes := array:reduceColumn("ages[]", var=x, function=avg(x))

    Computes the average for each array element with same index in the array and reduces it to one value, placing the result for each index into a new field _reduceColumn.

  3. Event Result set.

Summary and Results

The query is used to find the maximum time for each array element with same index in a flat array.

_reduceColumn[0]_reduceColumn[1]_reduceColumn[2]_reduceColumn[3] 
40.340.363.3