Available:slidingWindow()
v1.174.0
The slidingWindow() function is available
from version 1.174.0.
The slidingWindow() function applies an
aggregation to a moving window of a specified number of events
in a sequence. It is useful for calculating metrics over a fixed
number of recent events, allowing for trend analysis and
smoothing of data. For aggregating sliding windows based on time
series span, see slidingTimeWindow()
function.
For more information about sequence functions and combined usage, see Sequence Query Functions.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
current | enum | optional[a] | include | Controls whether to include the current event in the accumulation. |
| Values | ||||
exclude | Exclude current event in the accumulation | |||
include | Include current event in the accumulation | |||
events | integer | required | The number of events in each window. | |
| Minimum | 1 | 1 event | ||
| Maximum | 1000 | 1000 events | ||
function[b] | array of aggregate functions | required | The aggregator function(s) to apply to each window. It only accepts functions that output a maximum of one single event. | |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
functioncan be omitted; the following forms of this function are equivalent:logscale SyntaxslidingWindow("value",events="value")and:
logscale SyntaxslidingWindow(function="value",events="value")These examples show basic structure only.
Note
The
slidingWindow()function must be used after an aggregator function (for example,head(),sort(),bucket(),groupBy()timeChart()) to ensure event ordering, as theaccumulate()function requires a specific order to calculate cumulative values correctly.Only functions (for example,
sum(),avg(),count()) that output a single event can be used in the sub-aggregation because theslidingWindow()function needs a single value to add to its running total for each event.
slidingWindow() Examples
Click next to an example below to get the full details.
Detect Continuously Upwards Going Trend
Detect continuously upwards going trend using the
slidingWindow() function combined with
neighbor()
Query
head()
| neighbor(value, prefix=prev)
| change := value - prev.value
| slidingWindow(
[
{change >= 0 | count(as=positiveTrend)},
{change < 0 | count(as=negativeTrend)}
],
events=2
)
| positiveTrend >= 2Introduction
In this example, the slidingWindow() function
combined with neighbor() is used to detect
continuously upwards going trend. It looks for sequences where the value
is consistently increasing or staying the same over at least two
consecutive measurements.
Note that sequence functions must be used after an aggregator function to ensure event ordering.
Example incoming data might look like this:
| value |
|---|
| 3 |
| 5.5 |
| 4 |
| 6 |
| 10 |
Step-by-Step
Starting with the source repository events.
- logscale
head()Selects the oldest events ordered by time.
- logscale
| neighbor(value, prefix=prev)Creates a new field named prev.value containing the value from the previous event.
- logscale
| change := value - prev.valueCalculates the change between the current value and the previous value, and assigns the returned results to a field named change.
- logscale
| slidingWindow( [ {change >= 0 | count(as=positiveTrend)}, {change < 0 | count(as=negativeTrend)} ], events=2 )Creates a sliding window of 2 events. Within each window, it counts changes equal to zero or higher (positive or zero changes) and returns the results in a field named positiveTrend, and then also counts the negative changes and returns the results in a field named negativeTrend.
- logscale
| positiveTrend >= 2Filters for windows where there are at least 2 positive (or zero) changes.
Event Result set.
Summary and Results
The query is used to detect a continuous upwards trend in a series of values. The query can be used to monitor system metrics for consistent increases (for example, memory usage, CPU load) and to identify potential anomalies in time-series data.
Sample output from the incoming example data:
| value | positiveTrend | negativeTrend | change | prev.value |
|---|---|---|---|---|
| 10 | 2 | 0 | 4 | 6 |