Collects fields from multiple events into one event.
Function Traits: Aggregate
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
fields[a] | Array of strings | required | Names of the fields to keep. | |
limit | number | optional | 2000 | Limit to number of distinct values in collect. |
multival | boolean | optional | true | Collects the resulting value as multivalue (a single field value using separator). |
separator | string | optional | \n | Separator used for multiple values. |
The parameter name for fields can be omitted; the following forms are equivalent:
collect("value")and:
collect(fields="value")
The collect() has a limit of 1Kb per key when usedd
as part of a groupBy() operation. This limits the
number of values you can index during the aggregation.
The collect() function is limited in the memory for
while collecting data before the data is aggregated. The limit changes
depending on whether collect() runs as a top level
function — in which case its limit is 10 MiB:
#type = humio #kind=logs
| collect(myField)or whether it runs in a subquery, or as a sub-aggregator to another function — in which case its limit is 1 MiB:
#type = humio #kind=logs
groupBy(myField, function=collect(myOtherField))collect() Examples
Collects visitors, each visitor defined as non-active after one minute.
groupby(client_ip, function=session(maxpause=1m, collect([url])))