Computes a value from all events and array elements of the specified array.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
array [a] | string | required | A string in the format of a valid array followed by [] . A valid array can either be an identifier, a valid array followed by . and an identifier, or a valid array followed by an array index surrounded by square brackets. For example, for events with fields incidents[0], incidents[1], ... this would be incidents[] . | |
function | string | required | The function to be applied to each element. | |
var | string | required | Array element field name to use in the function. | |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
array
can be omitted; the following forms of this function are equivalent:logscalearray:reduceAll("value[]",var="value",function="value")
and:
logscalearray:reduceAll(array="value[]",var="value",function="value")
These examples show basic structure only.
Syntactically, the function is similar to:
split(array)
| function(array)
but is more efficient.
The function applies to all the values across multiple events.
For example, with three events each containing an array a[]
such that:
a[0] | a[1] | a[2] |
---|---|---|
1 | 4 | 2 |
3 | 5 | 2 |
5 | 2 | 3 |
Where the rows of a[]
across all events are:
[1, 4, 2]
[3, 5, 2]
[5, 2, 3]
Running:
array:reduceAll("a[]", function=avg(x), var=x)
would result in the output:
_avg=3
since x
would take the values of:
{1, 4, 2, 3, 5, 2, 5, 2, 3}
array:reduceAll()
Examples
Compute the maximum value of all values in an array named values in all events:
array:reduceAll(values[], var=x, function=max(x))