The list of events that match an aggregate query can be sent to Actions, in cases where it is needed to get some of the events out as a supplement. This is done through query writing, supported for many alert queries.

Suppose you have an alert on an error count being too high, based on a query like this:

loglevel = ERROR
| count()
| _count > 100

This will only produce a single event with the single field _count set to the value of the count out of the alert query.

To visualize just a portion of the counted events, use the tail() function:

loglevel = ERROR
| [count(), tail(5)]
| _count > 100

In the example, the alert query will display an aggregate of the last 5 individual events.

You may also want to return only some fields in the aggregated result: to do so, add a select() function to your query:

loglevel = ERROR
| [count(), tail(5)]
| _count > 100
| select([class,behindSec,_count])

The example query above will display class, behindSec and _count fields instead of the entire individual events.

The same query can be used to group errors by server:

loglevel = ERROR | groupBy(server, function=count()) | _count > 100

Similar to the previous example, it can be rewritten to get the last 5 events:

loglevel = ERROR | groupBy(server, function=[count(), tail(5)]) | _count > 100

To send the counted events out as a supplement — say via an Email action — you can use some message templates for the action you are creating.

You may use the message template {field:$FIELD_NAME} to get the count and one of the templates that produces all events, like {events_str}, {events} or {events_html} to get the events out.

In our example, configure your Email action with {field:$_count} based on {events_html} to get both the actual count and the events out.