Annotate Events With Aggregation - Example 2

Annotate events using stats() function and aggregation

Query

logscale
kvParse()
| stats([
sum(x, as=sumX),
avg(y, as=avgY),
table([x, y])
])

Introduction

The stats() function can be used to compute multiple aggregate functions over the input.

In this example, the stats() function is used with aggregation on the field x where one of the subaggregators (avg(y)) outputs zero rows.

The example shows what happens, when a subaggregator avg(y) does not produce an output.

Example incoming data might look like this:

logscale
"x=1 y=N/A"
"x=2 y=N/A"

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    kvParse()

    Parses the string into key value pairs.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | stats([
    sum(x, as=sumX),
    avg(y, as=avgY),
    table([x, y])
    ])

    Computes the aggregate functions sum(), avg() and table() over the fields x and y, and returns the results in a field named sumX, a field named x, and a field named y.

  4. Event Result set.

Summary and Results

The query is used to compute multiple aggregate functions over an input.

Sample output from the incoming example data:

"sumX","x","y"
"3","1","N/A"
"3","2","N/A"