Access Fields From Single Neighboring Event in a Sequence - Example 3
Access fields from a single neighboring (further away) event in a sequence using the neighbor() function
Query
head()
| neighbor(key, prefix=prev, distance=2)Introduction
The neighbor() function can be used to look at data
from nearby events in a defined sequence. The
neighbor() function can be used to compare an event
with events that came before or after it, to identify patterns in a data
sequence and to analyze how data changes from one event to the next.
In this example, the neighbor() function is used to
look at a preceeding event with the specified distance of
2 away from the current event.
Note that the neighbor() function must be used
after an aggregator function to ensure event ordering.
Example incoming data might look like this:
| key |
|---|
| a |
| a |
| b |
| c |
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
head()Selects the oldest events ordered by time.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| neighbor(key, prefix=prev, distance=2)For each event, looks two events back in the sequence. It retrieves the key value from that event two positions back, and adds this value to the current event's data, labeled with prev.key.
Event Result set.
Summary and Results
The query is used to access fields from each event at a specified distance (number of events) away in a sequence of events, retrieving fields from either a preceding or succeeding event at a specified distance from the current event.
Sample output from the incoming example data:
| key | prev.key |
|---|---|
| a | <no value> |
| a | <no value> |
| b | a |
| c | a |
The query is useful for comparing events with others that are not immediately adjacent in your data sequence.