Access Fields From Single Neighboring Event in a Sequence - Example 1
Access fields from a single neighboring (preceeding) event in a sequence using the neighbor() function
Query
head()
| neighbor(key, prefix=prev)Introduction
The neighbor() function can be used to look at data
from nearby events in a defined sequence.
In this example, the neighbor() function is used to
look at the preceeding event; the one just before the current event as
no distance is specified.
Note that the neighbor() function must be used
after an aggregator function to ensure event ordering.
Example incoming data might look like this:
| key |
|---|
| a |
| a |
| b |
| c |
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
head()Selects the oldest events ordered by time.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| neighbor(key, prefix=prev)For each event, looks at the event immediately before it, and returns the value of the field key within the current event as a field named prev.key.
It is also possible to look at an event further away, if defining a distance:
neighbor(key, prefix=prev, distance=2) Event Result set.
Summary and Results
In this example, the value of a field from a preceding event is added to each event.
Sample output from the incoming example data:
| key | prev.key |
|---|---|
| a | <no value> |
| a | a |
| b | a |
| c | b |
The query is useful for comparing events or detecting patterns in sequential data.