Compute an Aggregated Value of an Array on All Events

Compute an aggregated value of a flat array on all events using the array:reduceAll() function

Query

logscale
array:reduceAll("values[]", var=x, function=max(x))

Introduction

The array:reduceAll() function computes a value across all events and array elements of the specified array. The reduce() method returns a single value: the function's accumulated result.

In this example, the aggregate function max() is used to output a single event with a single field.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[[Array Manipulation]] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    array:reduceAll("values[]", var=x, function=max(x))

    Computes the maximum value over all the values within the array values[] by using the max() on each element, and then across each event in the event set.

  3. Event Result set.

Summary and Results

The query is used to compute a value from all events and array elements of a specified array. The reduce() method is recommended, when you need to have a single value returned from iterating over your array. Only aggregate functions that return a single event with a single field (such as avg(), count(), sum(), max() etc.) are allowed as the function argument.