Match Field to Timespan
Match a field to timespan using the eval() function with timeChart()
Query
timechart(method, span=5min)
| eval(_count=_count/5)Introduction
The eval() function can be used to create new or
update existing fields.
In this example, the eval() function is used
with timeChart() to match a field to the
timespan, dividing the count by 5 to convert from a 5 minute count
to a per-minute count.
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
timechart(method, span=5min)Creates a timechart based on the values of the method field, and groups data into 5 minute buckets (span=5min). By default, it counts events in each bucket and returns the result in a field named _count.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| eval(_count=_count/5)Divides the count by 5 to convert from a 5-minute count to a per-minute count, and returns the new value in the _count field.
This approach is useful when you want to display per-minute rates but also want to benefit from the reduced data points and improved performance of larger time buckets.
Event Result set.
Summary and Results
The query is used to match a field to a timespan. It summarizes the
count into 5 minutes blocks and then displays those using the
timeChart()timespan
parameter to display the value in those increments.
The eval() function then summarizes the values by
dividing the 5 minutes counts by 5 to provide a summarized value for
each 5 minutes timespan. You can, for example, use it to test a complex
function or expression with different inputs and quickly check the
output in the returned values.