Calculate Sum of Field Values Over Sliding Time-Based Window
Calculate a sum of values in a dataset over a sliding time-based window using the slidingTimeWindow() function
Query
head()
| slidingTimeWindow(sum(value), span=3s)Introduction
The slidingTimeWindow() function can be used to
calculate metrics over a specific time period. The
slidingTimeWindow() function analyzes data within a
moving time frame and performs calculation on the data within that time
period. As time progresses, it updates the calculations, always using
the most recent time period.
In this example, the slidingTimeWindow() function
is used with the head() function to calculate the
sum of the field value over a
sliding time-based window of 3 seconds.
Note that the slidingTimeWindow() function must be
used after an aggregator function to ensure event ordering by time. Also
note that the events must be sorted in order by timestamp to prevent
errors when running the query. It is possible to select any field to use
as a timestamp.
Example incoming data might look like this:
| value | @timestamp |
|---|---|
| 1 | 1451606301001 |
| 4 | 1451606301002 |
| 11 | 1451606302400 |
| 2 | 1451606304001 |
| 5 | 1451606304003 |
| 1 | 1451606305300 |
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
head()Selects the oldest events ordered by time.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{{Aggregate}} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| slidingTimeWindow(sum(value), span=3s)Computes the running sum of the field value over a 3-second window using the
slidingTimeWindow()function with thesum()aggregator. It adds the values of this 3-second window together and updates the sum as new data points arrive, always considering only the last 3 seconds.It is also possible to exclude the current value, if adding
current="exclude":slidingTimeWindow(sum(value), span="3s", current="exclude")Note that it is possible to select any field to use as a timestamp, which can be useful after the bucket function.
Event Result set.
Summary and Results
The query is used to calculate the sum of fields over a sliding time-based window using a 3 second time window. The query is useful to identify trends in most recent data.
Sample output from the incoming example data:
| _sum | @timestamp | value |
|---|---|---|
| 1 | 1451606301001 | 1 |
| 5 | 1451606301002 | 4 |
| 16 | 1451606302400 | 11 |
| 17 | 1451606304001 | 2 |
| 18 | 1451606304003 | 5 |
| 19 | 1451606305300 | 1 |
Sample output from the incoming example data if the current event value is excluded:
| _sum | @timestamp | value |
|---|---|---|
| 0 | 1451606301001 | 1 |
| 1 | 1451606301002 | 4 |
| 5 | 1451606302400 | 11 |
| 15 | 1451606304001 | 2 |
| 13 | 1451606304003 | 5 |
| 18 | 1451606305300 | 1 |
To analyze data based on a set number of data points instead of time
periods, use the slidingWindow() function.