The list of events that match an aggregate query can be sent to Actions in cases where it is needed to get some of the events out as a supplement. This is done through query writing, supported for many trigger queries.

Suppose you have a trigger on an error count being too high based on a query like this:

loglevel = ERROR
| count()
| _count > 100

This only produces a single event with the single field _count set to the value of the count of the trigger query.

To visualize just a portion of the counted events, use the tail() function:

loglevel = ERROR
| [count(), tail(5)]
| _count > 100

In the example, the trigger_type query will display an aggregate of the last five individual events.

You may also want to return only some fields in the aggregated result; to do so, add a select() function to your query:

loglevel = ERROR
| [count(), tail(5)]
| _count > 100
| select([class,behindSec,_count])

The example query above then displays class, behindSec, and _count fields instead of the entire individual events.

The same query can be used to group errors by server:

loglevel = ERROR 
| groupBy(server, function=count()) 
| _count > 100

Similar to the previous example, it can be rewritten to get the last five events:

loglevel = ERROR 
| groupBy(server, function=[count(), tail(5)]) 
| _count > 100

To send the counted events as a supplement — say via an Email action — use message templates for the action you are creating.

You may use the message template {field:FIELD_NAME} to get the count and one of the templates that produces all events, like {events_str}, {events} or {events_html} to get the events out.

In the example, configure your Email action with {field:$_count} based on {events_html} to get both the actual count and the events out.