Group First Events by Log Level

Limit and group events using head() and groupBy() functions

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
head(limit=10)
groupBy(loglevel)

Introduction

The head() function combined with groupBy() can be used to analyze the distribution of a limited set of events across specific field values.

In this example, the head() function is used to limit the result set to 100 events, which are then grouped by their log level using the groupBy() function.

Example incoming data might look like this:

@timestamploglevelservicemessagestatus_code
2025-09-01T10:00:00ZERRORauthenticationFailed login attempt401
2025-09-01T10:00:05ZINFOauthenticationSuccessful login200
2025-09-01T10:00:10ZERRORdatabaseConnection timeout503
2025-09-01T10:00:15ZWARNapiRate limit approaching429
2025-09-01T10:00:20ZERRORauthenticationInvalid token401
2025-09-01T10:00:25ZINFOapiRequest processed200
2025-09-01T10:00:30ZDEBUGdatabaseQuery executed200
2025-09-01T10:00:35ZERRORapiInternal error500
2025-09-01T10:00:40ZINFOauthenticationUser logout200
2025-09-01T10:00:45ZWARNdatabaseHigh CPU usage200
2025-09-01T10:00:50ZDEBUGapiCache hit200
2025-09-01T10:00:55ZERRORauthenticationSession expired401

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    head(limit=10)

    Returns the first 10 events from the dataset. The limit parameter explicitly specifies the number of events to return. The events are returned in the order they were received, starting from the oldest event in the time range.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    groupBy(loglevel)

    Groups the events by the values in the loglevel field. The groupBy() function creates buckets for each unique value and counts the number of events in each bucket. By default, it creates a field named _count containing the number of events in each group.

  4. Event Result set.

Summary and Results

The query is used to analyze the distribution of log levels across the first 10 events in the dataset. If head(limit=100) it would have returned 100 events.

This query is useful, for example, to quickly assess the proportion of different log levels in a sample of events or to identify if there is an unusual distribution of log severities.

Sample output from the incoming example data:

loglevel_count
ERROR5
INFO3
WARN2
DEBUG2

Note that the output shows the count of events for each log level found within the first 10 events, providing a quick overview of the log level distribution in the sample.