Computes a value from all events and array elements of the specified array.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
array[a] | string | required | A string in the format of a valid array followed by []. A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[]. | |
function | array of aggregate functions | required | The function to be applied to each element. If several aggregators are listed for the function parameter, then their outputs are combined using the rules described for stats(). | |
var | string | required | Array element field name to use in the function. | |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
arraycan be omitted; the following forms of this function are equivalent:logscale Syntaxarray:reduceAll("value",var="value",function="value")and:
logscale Syntaxarray:reduceAll(array="value",var="value",function="value")These examples show basic structure only.
Syntactically, the function is similar to:
split(array)
| function(array)but is more efficient.
The function applies to all the values across multiple events.
For example, with three events each containing an array
a[] such that:
| a[0] | a[1] | a[2] |
|---|---|---|
| 1 | 4 | 2 |
| 3 | 5 | 2 |
| 5 | 2 | 3 |
Where the rows of a[] across all events
are:
[1, 4, 2]
[3, 5, 2]
[5, 2, 3]Running:
array:reduceAll("a[]", function=avg(x), var=x)would result in the output:
_avg=3
since x would take the values of:
{1, 4, 2, 3, 5, 2, 5, 2, 3}array:reduceAll() Examples
Click next to an example below to get the full details.
Compute an Aggregated Value of an Array on All Events
Compute an aggregated value of a flat array on all events using the array:reduceAll() function
Query
array:reduceAll("values[]", var=x, function=max(x))Introduction
The array:reduceAll() function computes a
value across all events and array elements of the specified array.
The reduce() method returns a single value:
the function's accumulated result. In this example, the aggregate
function max() is used to output a single
event with a single field.
Step-by-Step
Starting with the source repository events.
- logscale
array:reduceAll("values[]", var=x, function=max(x))Computes the maximum value over all the values within the array values[] by using the
max()on each element, and then across each event in the event set. Event Result set.
Summary and Results
The query is used to compute a value from all events and array
elements of a specified array. The reduce()
method is recommended, when you need to have a single value
returned from iterating over your array. Only aggregate
functions that return a single event with a single field (such
as avg(), count(),
sum(), max() etc.) are
allowed as the
function
argument.