This query function counts the number of events in the repository, or streaming through the function. The result is put in a field named, _count. You can use this field name to pipe the results to other query functions or general use.
It's possible to specify a field and only events containing that field are counted. It's also possible to do a distinct count. When having many distinct values LogScale will not try to keep them all in memory. An estimate is then used, so the result will not be a precise match.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | false | _count | The name of the output field. |
distinct | boolean | false | When specified, counts only distinct values. When this parameter is set to true, LogScale always uses an estimate, which may return an inexact result as the value. | |
field | string | false | The field for which only events are counted. [a] | |
count() Examples
Below are several examples using the count()
function. Some are simple and others are more complex, with functions
embedded within others.
Count All Events
Figure 381. Count All Events
Below is a simple example using the count()
function. The query just counts the number of events found in the
repository for the period of time selected. See
Figure 381, “Count All Events” for how
the following query is entered (see highlighted text):
count()The results is just a single number, the total count; this is how it displays it.
Group & Count
Figure 382. Group Count
In this example, the query uses the count()
function within the groupBy() function. The first
parameter given is the field upon which to group the data. In this
case, it's the HTTP method (e.g., GET,
PUT, POST). The
second parameter says to use the function count()
to count the number occurrences for each method found.
groupby(field=method, function=count())Figure 382, “Group Count” shows how this query would be entered on the Search page for a repository. It shows in the results a table with the column headings, method and _count, with the values for each.
Chart of Daily Counts
Figure 383. count() Chart of Daily Counts
You can use the count() function in conjunction
with the timeChart() function to count the number
occurrences of events or other factors. By default, the
timeChart() function will aggregate the data by
day. The results will look something like what you see in the
screenshot shown in
Figure 383, “count() Chart of Daily Counts”.
timechart(function=count())Table of Daily Counts
Figure 384. Table of Daily Counts
When a user accesses a web site, the event is logged with a status.
For instance, the status code 200 is
returned when the request is successful, and
404 when the page is not found. To get
a list of status codes returned and a count of each for a given
period, you would enter the following query in the
Search box:
groupby(field=status, function=count())You can see an example of this query in Figure 384, “Table of Daily Counts”. Notice that in the results there is a table with the column headings status and _count, and the values for each status in the rows below them.