Important
This function is considered experimental and under active development and should not be used in production.
The function must be enabled using the feature flag ArrayFunctions. See Enabling & Disabling Feature Flags.
Computes an aggregated value of an array on all events.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
array [a] | string | required | The prefix of the array in LogScale, for example, for events with fields incidents[0], incidents[1], ... this would be incidents . | |
as | string | optional[b] | _reduceRow | Name of the output array. |
function | function | required | Aggregate function to use (for example, max() ). Must be an aggregate function that outputs a single event with a single field. | |
var | string | required | Placeholder field name to use for array element to use in aggregate function. | |
[b] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:reduceRow("value[]",var="value",function="value")
and:
logscalearray:reduceRow(array="value[]",var="value",function="value")
These examples show basic structure only.
Only aggregate functions that return a single event with a single field
(such as avg()
, count()
,
sum()
, max()
etc.) are allowed
as the function
argument.
The function cannot be join()
or
groupBy()
.
array:reduceRow()
Examples
Calculate Average of Field Values in an Array
Calculate Average of Field Values in a flat array using the array:reduceRow()
function
Query
array:reduceRow("ages[]", var=x, function=avg(x))
Introduction
The array:reduceRow()
function can be used
together with the aggregate function avg()
as
the function argument to calculate the average of field values in
a flat array. In this example, the
array:reduceRow()
function is used to
calculate the average age of the field ages
and return the result in a field named
_reduceRow._avg.
Example incoming data might look like this:
ages[0] | ages[1] | ages[2] |
---|---|---|
16 | 32 | 64 |
15 | 30 | 45 |
1 | 2 | 4 |
89 | 57 | 67 |
Step-by-Step
Starting with the source repository events.
- logscale
array:reduceRow("ages[]", var=x, function=avg(x))
Produces two events, calculating the average value across the ages[] array for each event. The results are placed into the _avg field for each new event.
Event Result set.
Summary and Results
The query is used to calculate averages for a given array for
each event and is a shorthand version of using
array:eval()
specifically for processing
each event.
Sample output from the incoming example data:
ages[0] | ages[1] | ages[2] | _avg |
---|---|---|---|
16 | 32 | 64 | 37.333 |
15 | 30 | 45 | 30 |
1 | 2 | 4 | 2.67 |
89 | 57 | 67 | 71 |
Note that the evaluation is per event, for example per row of
the overall table of values across the array over all events. To
calculate values across the column of values, use
array:reduceColumn()
.