Important
This function is considered experimental and under active development and should not be used in production.
The function must be enabled using the feature flag ArrayFunctions. See Enabling & Disabling Feature Flags.
Computes an aggregated value of an array on all events.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
array [a] | string | required | The prefix of the array in LogScale, for example for events with fields incidents[0], incidents[1], ... this would be incidents . | |
as | string | optional[b] | _reduceRow | Name of the output array. |
function | function | required | Aggregate function to use (for example max() ). Must be an aggregate function that outputs a single event with a single field. | |
var | string | required | Placeholder field name to use for array element to use in aggregate function. | |
[b] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:reduceRow("value[]",var="value",function="value")
and:
logscalearray:reduceRow(array="value[]",var="value",function="value")
These examples show basic structure only.
Only aggregate functions that return a single event with a single field
(such as avg()
, count()
,
sum()
, max()
etc.) are allowed
as the function
argument.
The function cannot be join()
or
groupBy()
.
array:reduceRow()
Examples
For instance, given an array of ages named ages on events:
Event 1:
| fieldname | value |
|-------------|-------|
| ages\[0\] | 16 |
| ages\[1\] | 32 |
| ages\[2\] | 64 |
Event 2:
| fieldname | value |
|-------------|-------|
| ages\[0\] | 15 |
| ages\[1\] | 30 |
| ages\[2\] | 45 |
Then using the aggregate function avg()
as the
function
argument:
array:reduceRow(ages, var=x, function=avg(x))
Produces events 'Event 1' and 'Event 2' with the added field _reduceRow._avg as so:
Event 1:
| fieldname | value |
|----------------------|----------|
| ages\[0\] | 16 |
| ages\[1\] | 32 |
| ages\[2\] | 64 |
| _reduceRow._avg | 37.333...|
Event 2:
| fieldname | value |
|----------------------|-------|
| ages\[0\] | 15 |
| ages\[1\] | 30 |
| ages\[2\] | 45 |
| _reduceRow._avg | 30 |