Used to compute multiple aggregate functions over the input.
It produces one row of data that contains both min and max results.
Omitted Argument NamesThe argument name for
function
can be omitted; the following forms of this function are equivalent:logscalestats("count(as=_count)")
and:
logscalestats(function="count(as=_count)")
These examples show basic structure only; full examples are provided below.
The stats()
is also available as a shorthand syntax
by declaring an array of functions:
...
| stats(function=[min(), max()])
Is equivalent to:
...
| [min(),max()]
stats()
Examples
The following query is equivalent to just count()
:
stats(function=count())
To finx the maximum and minimum:
[min_response := min(responsetime), max_response := max(responsetime)]
The stats()
can also be combined with the
groupBy()
function:
groupBy(
["RemoteAddressIP4", "Country", "Region", "City"],
function=stats(function=[
collect(UserName, as=computersTargeted),
count(aid, as=loginAttempts),
count(aid, as=totalSystemsTargeted, distinct=true)
])
)
Or as it's syntax equivalent:
groupBy(
["RemoteAddressIP4", "Country", "Region", "City"],
function=[
collect(UserName, as=computersTargeted),
count(aid, as=loginAttempts),
count(aid, as=totalSystemsTargeted, distinct=true)
]
)
This groups the content by the IP address and location, and then
performs count()
on those aggregated values for the
numger of login attempts and number of systems.