Aggregate Query Functions
LogScale's aggregate query functions provide grouping and/or aggregation of event data.
Table: Aggregate Query Functions
| Function | Default Argument | Availability | Description |
|---|---|---|---|
avg([as], field) | field | Calculates the average for a field of a set of events. | |
bucket([buckets], [field], [function], [limit], [minSpan], [span], [timezone], [unit]) | span | Extends the groupBy function for grouping by time. | |
callFunction([as], field, function) | function | Calls the named function on a field over a set of events. | |
collect(fields, [limit], [multival], [separator]) | fields | Collects fields from multiple events into one event. | |
count([as], [distinct], [field]) | field | Counts given events. | |
counterAsRate([as], field) | field | Calculates the rate for a counter field. | |
groupBy(field, [function], [limit]) | field | Groups events by specified fields and executes aggregate functions on each group. | |
head([limit]) | limit | Returns the oldest events. | |
holtwinters([alpha], [beta], [gamma], period) | period | removed in 1.73 | Used to generate a trendline for a periodic dataset. |
linReg([prefix], x, y) | linreg | Computes linear relationship model between two variables using least-squares fitting. | |
selectFromMax(field, include) | Selects event with the largest value for the specified field. | ||
selectFromMin(field, include) | Selects event with the smallest value for the specified field. | ||
selectLast(fields) | fields | Specify fields to select from events, keeping value of most recent event for each field. | |
series(collect, [endmatch], [maxduration], [maxpause], [memlimit], [separator], [startmatch]) | collect | Collects a series of values for selected fields from multiple events into one or more events. | |
sort([field], [limit], [order], [reverse], [type]) | field | Sorts events by their fields. | |
sum([as], field) | field | Calculates the sum for a field over a set of events. | |
top([as], [error], field, [limit], [max], [percent], [rest], [sum]) | field | Finds the top results based on a given field. | |
window([buckets], [function], [span]) | function | Computes aggregate functions over a sliding window of data. |
The following functions are supported only for testing queries and parsers.
Table: Aggregate (for testing) Query Functions
| Function | Default Argument | Availability | Description |
|---|---|---|---|
createEvents([rawstring]) | Generates temporary events as part of the query. |