Finds the largest number for the specified field over a set of events.

ParameterTypeRequiredDefault ValueDescription
asstringoptional[a] _max Name of output field.
field[b]stringrequired   Field to extract a number from.
typestringoptional[a]   description

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

max() Syntax Examples

Return what was the maximum responsetime:

logscale
max(responsetime)

Filter for events in the repository with maximum responsetime values greater than 5 seconds:

logscale
max(responsetime)
| _max> 5

max() Examples

Click + next to an example below to get the full details.

Alert Query for Parsers Issues

Reporting errors

Query
logscale
#type=humio #kind=logs
| loglevel=WARN
| class = c.h.d.ParserLimitingJob
| "Setting reject ingest for"
| groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )
| timeDiff:=_max-_min
| timeDiff > 300000 and _count > 10
Introduction

This alert query tries to balance reacting when there are problems with parsers, without being too restrictive.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    #type=humio #kind=logs

    Filters on all logs across all hosts in the cluster.

  3. logscale
    | loglevel=WARN

    Filters for all events where the loglevel is equal to WARN.

  4. logscale
    | class = c.h.d.ParserLimitingJob

    Assigns the value c.h.d.ParserLimitingJob to the class for the logs having the loglevel value WARN.

  5. logscale
    | "Setting reject ingest for"

    Filters for events containing the string Setting reject ingest for. This is the error message generated when ingested events are rejected.

  6. logscale
    | groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )

    Groups the returned result by the field id, makes a count on the events and returns the minimum timestamp and maximum timestamp. This returns a new event set, with the fields id, _count, _min, and _max.

  7. logscale
    | timeDiff:=_max-_min

    Calculates the time difference between the maximum timestamp values and the minimum timestamp values and returns the result in a new field named timeDiff.

  8. logscale
    | timeDiff > 300000 and _count > 10

    Returns all events where the values of timeDiff is greater that 300000 and where there are more than 10 occurrences.

  9. Event Result set.

Summary and Results

This query is used to set up alerts for parsers issues. Setting up alerts for parsers issues will allow to proactively reach out to customers where their queries are being throttled and help them.

Compute Aggregate Value for Each Array Element With Same Index

Compute an aggregate value for each array element with the same index using the array:reduceColumn()

Query
logscale
maxTimes := array:reduceColumn(times, var=x, function={time := max(x)})
Introduction

In this example, the array:reduceColumn() function is used to find the maximum time for each array element with same index in a flat array.

Example incoming data might look like this:

times[0]times[1]times[2]
123
510
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    maxTimes := array:reduceColumn(times, var=x, function={time := max(x)})

    Computes the maximum time for each array element with same index in the array and reduces it to one value.

  3. Event Result set.

Summary and Results

The query is used to find the maximum time for each array element with same index in a flat array.

_reduceColumn[0]_reduceColumn[1]_reduceColumn[2]
523

Compute an Aggregated Value of an Array on All Events

Compute an aggregated value of a flat array on all events using the array:reduceAll() function

Query
logscale
array:reduceAll("values[]", var=x, function=max(x))
Introduction

In this example, the aggregate function max() is used to output a single event with a single field.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    array:reduceAll("values[]", var=x, function=max(x))

    Computes the maximum value over all the values within the array values[] by using the max() on each element, and then across each event in the event set.

  3. Event Result set.

Summary and Results

The query is used to compute a value from all events and array elements of a specified array. The reduce() method is recommended, when you need to have a single value returned from iterating over your array. Only aggregate functions that return a single event with a single field (such as avg(), count(), sum(), max() etc.) are allowed as the function argument.

Create a Pivot Table

Creating a view of LogScale activity

Query
logscale
groupBy([type,actor.user.id],function={groupBy(actor.user.id, function=max(@timestamp))})
|transpose(header=type)
|drop(column)
Introduction

The humio-audit repository contains audit events for the LogScale cluster. Reporting on this information can provide a wealth of information, but a useful summary can be created based on the activities, users and which the latest user of that particular operation.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    groupBy([type,actor.user.id],function={groupBy(actor.user.id, function=max(@timestamp))})

    The first step to creating a pivot table is the base query that will create the initial summary of the information. In this fragment, a nested groupBy() aggregation. The embedded aggregation creates a group of the maximum access time for a given user, by using max() on the @timestamp against the actor.user.id. This creates a table of the last event by the user. The outer groupBy() then creates an aggregation of this maximum user time against the type which defines the operation performed.

    The result is a table of the last user and time for a specific operation; for example, the last time a query was executed. An example of this table can be seen below:

    type actor.user.id _max
    alert.clear-error 0O7WGPBX9YbvZbKOrBMd5fgH 1700546666592
    alert.create 0O7WGPBX9YbvZbKOrBMd5fgH 1699004139419
    alert.update 0O7WGPBX9YbvZbKOrBMd5fgH 1700546666676
    dashboard.create 0O7WGPBX9YbvZbKOrBMd5fgH 1698417330709
    dataspace.query 0O7WGPBX9YbvZbKOrBMd5fgH 1700721296197
  3. logscale
    |transpose(header=type)

    The transpose() will convert individual columns into rows, switching the orientation. For example, the type column will now become the type row. However, there are no row titles, so the title for the resulting table will by default create a header row containing the column and row numbers, like this:

    column row[1] row[2] row[3] row[4] row[5]
    _max 1700546666592 1699004139419 1700546666676 1698417330709 1700722209214
    actor.user.id 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH
    type alert.clear-error alert.create alert.update dashboard.create dataspace.query

    However, the aggregate grouping, type could be used instead as a valid header for each column. To achieve that, use the header parameter to specify type as the column. The resulting table now looks like this:

    alert.clear-error alert.create alert.update column dashboard.create dataspace.query
    1700546666592 1699004139419 1700546666676 _max 1698417330709 1700722210073
    0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH actor.user.id 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH
  4. logscale
    |drop(column)

    The table created contains the summarized information pivoted around the user ID and last event time further summarized by the type of the event. However, there is a column in the table, column, which is now a field in the event stream that was generated from the old row before the table was pivoted.

    That column can be removed by dropping the column field from the event using drop() to remove the column from the events.

  5. Event Result set.

Summary and Results

Pivoting an event set of data allows for the information to be displayed and summarized in a format that may make more logical sense as a display format. The final table will look like this:

alert.clear-error alert.create alert.update dashboard.create dataspace.query
1700546666592 1699004139419 1700546666676 1698417330709 1700722210073
0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH 0O7WGPBX9YbvZbKOrBMd5fgH

Rounding Within a Timechart

Query
logscale
timeChart(function=max(value))
| round(_max, how=floor)
Introduction

Round a field and display using a Time chart.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    timeChart(function=max(value))

    Creates a Time Chart using max() as the aggregate function for the value field.

  3. logscale
    | round(_max, how=floor)

    Rounds the implied field from the aggregate max() using the floor option to round down the value.

  4. Event Result set.

Summary and Results

Using the floor parameter to a function always rounds down a number. This is useful when displaying information in a time chart as all numbers resolved to their base value which can make the differences between values easier to distinguish when used on a graph.