Important
This function is considered experimental and under active development and should not be used in production.
The function must be enabled using the feature flag
ArrayFunctions. See
Enabling/Disabling Features.
Computes an aggregate value for each array element with the same index.
If, for example, all events contain arrays with the time taken for 3 different tasks,
array:reduceColumn(times, var=x,function=[avg(x), max(x)])will compute the maximum and average time for each task.
If function is an aggregator that produces more than one event, such as
groupBy, the output of array:reduceColumn will
contain the same number of events as the maximum number of events produced
in a column. The n'th event will contain an array with the values from the
n'th event in all columns having an n'th event. This can lead to
unreliable ordering of the output if the internal aggregate does not
output ordered events (such as groupBy).
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array | string | true | The prefix of the array in Humio, for example for events with fields 'incidents[0], incidents[1], ...' this would be 'incidents'. [a] | |
as | string | false | Name of the output array. | |
function | string | true | Aggregate function to use (for example max()). | |
var | string | true | Placeholder field name to use for array element to use in aggregate function. | |
Examples
Find the maximum time for each place in the array. Given two events with arrays:
times=[1, 2, 3]
times=[5,1,0]With the function:
maxTimes := array:reduceColumn(times, var=x, function={time := max(x)})The result would be:
maxTimes[0].time = 5
maxTimes[1].time = 2
maxTimes[2]=3