Aggregate Query Functions

LogScale's aggregate query functions provide grouping and/or aggregation of event data.

Table: Aggregate Query Functions

FunctionDefault ArgumentAvailabilityDescription
array:intersection(array, [as])arrayintroduced in 1.39 Determines the set intersection of array values over input events
array:reduceColumn(array, [as], function, var)arrayintroduced in 1.39 Computes an aggregate value for each array element with the same index.
array:union(array, [as])arrayintroduced in 1.39 Determines the set union of array values over input events.
avg([as], field)field  Calculates the average for a field of a set of events.
bucket([buckets], [field], [function], [limit], [minSpan], [span], [timezone], [unit])span  Extends the groupBy() function for grouping by time.
callFunction([as], field, function)function  Calls the named function on a field over a set of events.
collect(fields, [limit], [multival], [separator])fields  Collects fields from multiple events into one event.
count([as], [distinct], [field])field  Counts given events.
counterAsRate([as], field)field  Calculates the rate for a counter field.
fieldstats([limit])   Retrieves stats about fields.
groupBy(field, [function], [limit])field  Groups events by specified fields and executes aggregate functions on each group.
head([limit])limit  Finds the oldest events.
linReg([prefix], x, y)   Computes linear relationship model between two variables using least-squares fitting.
percentile([accuracy], [as], field, [percentiles])field  Finds one event with a field for each percentile specified.
rdns([as], field, [server])field  Events using RDNS lookup.
sankey(source, target, [weight])   Produces data compatible with Sankey widget.
selectFromMax(field, include)field  Selects event with the largest value for the specified field.
selectFromMin(field, include)field  Selects event with the smallest value for the specified field.
selectLast(fields)fields  Specify fields to select from events, keeping value of most recent event for each field.
series(collect, [endmatch], [maxduration], [maxpause], [memlimit], [separator], [startmatch])collect  Collects a series of values for selected fields from multiple events into one or more events.
session([function], [maxpause])function  Collects events into sessions, and aggregates them.
setField(target, value)   Sets fields whose names are not known but computed from an expression.
sort([field], [limit], [order], [reverse], [type])field  Sorts events by their fields.
stats([function])function  Used to compute multiple aggregate functions over the input.
sum([as], field)field  Calculates the sum for a field over a set of events.
table(fields, [limit], [order], [reverse], [sortby], [type])fields  Used to create a widget to present the data in a table.
tail([limit])limit  Finds the newest events.
timeChart([buckets], [function], [limit], [minSpan], [series], [span], [timezone], [unit])series  Used to draw a linechart where the x-axis is time.
top([as], [error], field, [limit], [max], [percent], [rest], [sum])field  Finds the top results based on a given field.
transpose([column], [header], [limit], [pivot])pivot  Transposes a query results set by creating an event for each attribute.
window([buckets], [function], [span])function  Computes aggregate functions over a sliding window of data.
worldMap([ip], [lat], [lon], [magnitude], [precision])   Used to produce data compatible with the World Map widget.

The following functions are supported only for testing queries and parsers.

Table: Aggregate (for testing) Query Functions

FunctionDefault ArgumentAvailabilityDescription
createEvents(rawstring)rawstring  Generates temporary events as part of the query.