Collects fields from multiple events into one event. It has a limit of 1Kb
per key when used as part of a groupBy() operation.
This limits the number of values you can index during the aggregation.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
fields[a] | Array of strings | required | Names of the fields to keep. | |
limit | integer | optional[b] | 2000 | Limit to number of distinct values in collect. |
multival | boolean | optional[b] | true | Collects the resulting value as multivalue (a single field value using separator). |
separator | string | optional[b] | ; | Separator used for multiple values. |
[b] Optional parameters use their default value unless explicitly set | ||||
Omitted Argument NamesThe argument name for
fieldscan be omitted; the following forms of this function are equivalent:logscalecollect("value")and:
logscalecollect(fields="value")These examples show basic structure only; full examples are provided below.
collect() Examples
Collects visitors, each visitor defined as non-active after one minute.
logscale
groupby(client_ip, function=session(maxpause=1m, collect([url])))Collect fields from multiple events, counting the collected field:
logscale
LocalAddressIP4 = * RemoteAddressIP4 = * aip = *
| groupBy([LocalAddressIP4, RemoteAddressIP4], function=([count(aip, as=aipCount, distinct=true), collect([aip])]))