Important
This function is considered experimental and under active development and should not be used in production.
The function must be enabled using the feature flag ArrayFunctions. See Enabling/Disabling Feature Flags.
Computes an aggregated value of an array on all events.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
array | string | true | The prefix of the array in LogScale, for example for events with fields incidents[0], incidents[1], ... this would be incidents. [a] | |
as | string | false | Name of the output array. | |
function | string | true | Aggregate function to use (for example max()). Must be an aggregate function that outputs a single event with a single field. | |
var | string | true | Placeholder field name to use for array element to use in aggregate function. | |
For instance, given an array of ages named ages on events:
Event 1:
| fieldname | value |
|-------------|-------|
| ages\[0\] | 16 |
| ages\[1\] | 32 |
| ages\[2\] | 64 |Event 2:
| fieldname | value |
|-------------|-------|
| ages\[0\] | 15 |
| ages\[1\] | 30 |
| ages\[2\] | 45 |
Then using the aggregate function avg() as the
function argument:
array:reduceRow(ages, var=x, function=avg(x))Produces events 'Event 1' and 'Event 2' with the added field _reduceRow._avg as so:
Event 1:
| fieldname | value |
|----------------------|----------|
| ages\[0\] | 16 |
| ages\[1\] | 32 |
| ages\[2\] | 64 |
| _reduceRow._avg | 37.333...|Event 2:
| fieldname | value |
|----------------------|-------|
| ages\[0\] | 15 |
| ages\[1\] | 30 |
| ages\[2\] | 45 |
| _reduceRow._avg | 30 |
Only aggregate functions that return a single event with a single field
(such as avg(), count(),
sum(), max(). etc) are allowed
as the function argument.
The function cannot be join() or
groupBy().
array:reduceRow() Examples
Given events with an array named ages compute the average age of each event:
array:reduceRow(ages, var=x, function=avg(x))