Aggregate Query Functions

LogScale's aggregate query functions provide grouping and/or aggregation of event data.

Table: Aggregate Query Functions

FunctionDefault ArgumentAvailabilityDescription
avg([as], field)field  Calculates the average for a field of a set of events.
bucket([buckets], [field], [function], [limit], [minSpan], [span], [timezone], [unit], [useOriginalTimestamp])span  Extends the groupBy() function for grouping by time.
callFunction([as], field, function)function  Calls the named function on a field over a set of events.
collect(fields, [limit], [multival], [separator])fields  Collects fields from multiple events into one event.
count([as], [distinct], [field])field  Counts given events.
counterAsRate([as], field)field  Calculates the rate for a counter field.
groupBy(field, [function], [limit])field  Groups events by specified fields and executes aggregate functions on each group.
head([limit])limit  Returns the oldest events.
linReg([prefix], x, y)   Computes linear relationship model between two variables using least-squares fitting.
selectFromMax(field, include)field  Selects event with the largest value for the specified field.
selectFromMin(field, include)field  Selects event with the smallest value for the specified field.
selectLast(fields)fields  Specify fields to select from events, keeping value of most recent event for each field.
series(collect, [endmatch], [maxduration], [maxpause], [memlimit], [separator], [startmatch])collect  Collects a series of values for selected fields from multiple events into one or more events.
sort([field], [limit], [order], [reverse], [type])field  Sorts events by their fields.
sum([as], field)field  Calculates the sum for a field over a set of events.
top([as], [error], field, [limit], [max], [percent], [rest], [sum])field  Finds the top results based on a given field.
window([buckets], [function], [span])function  Computes aggregate functions over a sliding window of data.

The following functions are supported only for testing queries and parsers.

Table: Aggregate (for testing) Query Functions

FunctionDefault ArgumentAvailabilityDescription
createEvents(rawstring)rawstring  Generates temporary events as part of the query.