The slidingWindow() function applies an aggregation to a moving window of a specified number of events in a sequence. It is useful for calculating metrics over a fixed number of recent events, allowing for trend analysis and smoothing of data. For aggregating sliding windows based on time series span, see slidingTimeWindow() function.

For more information about sequence functions and combined usage, see Sequence Query Functions.

ParameterTypeRequiredDefault ValueDescription
currentenumoptional[a] include Controls whether to include the current event in the accumulation.
   Values
   excludeExclude current event in the accumulation
   includeInclude current event in the accumulation
eventsintegerrequired   The number of events in each window.
  Minimum11 event
  Maximum10001000 events
function[b]array of aggregate functionsrequired   The aggregator function(s) to apply to each window. It only accepts functions that output a maximum of one single event.

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name function can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

slidingWindow() Function Operation

Note

  • The slidingWindow() function must be used after an aggregator function (for example, head(), sort(), bucket(), groupBy() timeChart()) to ensure event ordering, as the accumulate() function requires a specific order to calculate cumulative values correctly.

  • Only functions (for example, sum(), avg(), count()) that output a single event can be used in the sub-aggregation because the slidingWindow() function needs a single value to add to its running total for each event.

Click + next to an example below to get the full details.

Detect Continuously Upwards Going Trend

Detect continuously upwards going trend using the slidingWindow() function combined with neighbor()

Query
logscale
head()
| neighbor(value, prefix=prev)
| change := value - prev.value
| slidingWindow(
    [
         {change >= 0 | count(as=positiveTrend)},
         {change < 0  | count(as=negativeTrend)}
    ],
    events=2
    )
| positiveTrend >= 2
Introduction

In this example, the slidingWindow() function combined with neighbor() is used to detect continuously upwards going trend. It looks for sequences where the value is consistently increasing or staying the same over at least two consecutive measurements.

Note that sequence functions must be used after an aggregator function to ensure event ordering.

Example incoming data might look like this:

value
3
5.5
4
6
10
Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    head()

    Selects the oldest events ordered by time.

  3. logscale
    | neighbor(value, prefix=prev)

    Creates a new field named prev.value containing the value from the previous event.

  4. logscale
    | change := value - prev.value

    Calculates the change between the current value and the previous value, and assigns the returned results to a field named change.

  5. logscale
    | slidingWindow(
    [
         {change >= 0 | count(as=positiveTrend)},
         {change < 0  | count(as=negativeTrend)}
    ],
    events=2
    )

    Creates a sliding window of 2 events. Within each window, it counts changes equal to zero or higher (positive or zero changes) and returns the results in a field named positiveTrend, and then also counts the negative changes and returns the results in a field named negativeTrend.

  6. logscale
    | positiveTrend >= 2

    Filters for windows where there are at least 2 positive (or zero) changes.

  7. Event Result set.

Summary and Results

The query is used to detect a continuous upwards trend in a series of values. The query can be used to monitor system metrics for consistent increases (for example, memory usage, CPU load) and to identify potential anomalies in time-series data.

Sample output from the incoming example data:

valuepositiveTrendnegativeTrendchangeprev.value
102046