Annotate Events With Aggregation - Example 2
Annotate events using stats()
function and aggregation
Query
kvParse()
| stats([
sum(x, as=sumX),
avg(y, as=avgY),
table([x, y])
])
Introduction
The stats()
function can be used to compute
multiple aggregate functions over the input.
In this example, the stats()
function is
used with aggregation on the field
x where one of the
subaggregators (avg(y)
) outputs zero rows.
The example shows what happens, when a subaggregator
avg(y)
does not produce an output.
Example incoming data might look like this:
"x=1 y=N/A"
"x=2 y=N/A"
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
kvParse()
Parses the string into key value pairs.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[\Add Field/] 1[\Add Field/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| stats([ sum(x, as=sumX), avg(y, as=avgY), table([x, y]) ])
Computes the aggregate functions
sum()
,avg()
andtable()
over the fields x and y, and returns the results in a field named sumX, a field named x, and a field named y. Event Result set.
Summary and Results
The query is used to compute multiple aggregate functions over an input.
Sample output from the incoming example data:
"sumX","x","y"
"3","1","N/A"
"3","2","N/A"