Aggregate Status Codes by count() Per Minute | LogScale Query Examples

Aggregate Status Codes by `count()` Per Minute

Time series aggregate status codes by count() per minute into buckets

Query

logscale

bucket(1min, field=status_code, function=count())

Introduction

Bucketing is a powerful technique for optimizing data storage and query performance. Bucketing allows for data to be collected according to a time range, dividing large datasets into manageable parts, thereby making it easier to quickly find specific events.

In this example, the bucket() function is used with count() to count different HTTP status codes over time and bucket them into time intervals of 1 minute.

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
bucket(1min, field=status_code, function=count())
```
Counts different HTTP status codes over time and buckets them into time intervals of 1 minute. Notice that we group by two fields: status_code field and the implicit field _bucket.
Event Result set.

Summary and Results

The query is used to optimizing data storage and query performance. Bucketing allows for data to be collected according to a time range. Using the right aggregation function to quantify the value groups that information into the buckets suitable for graphing for example with a Bar Chart, with the size of the bar using the declared function result, count() in this example.

Examples Library