This query function counts the number of events in the repository, or
streaming through the function. Result is put in a field named,
_count. You can use this field name
to pipe the results to other query functions or general use.
It's possible to specify a field and only events containing that field are counted. It's also possible to do a distinct count. When having many distinct values LogScale will not try to keep them all in memory. An estimate is then used, so the result will not be a precise match.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
as | string | false | _count | The name of the output field. |
distinct | boolean | false | When specified, counts only distinct values. For many distinct values, Humio uses an estimate, which may return an inexact result. | |
field | string | false | The field for which only events are counted. [a] | |
Examples
Below are several examples using the count()
function. Some are simple and others are more complex, with functions
embedded within others.
Count All Events
Figure 287. Count All Events
Below is a simple example using the count()
function. The query just counts the number of events found in the
repository for the period of time selected. See
Figure 287, “Count All Events” for how
the following query is entered (see highlighted text):
count()The results is just a single number, the total count; this is how it displays it.
Group & Count
Figure 288. Group Count
In this example, the query uses the count()
function within the groupBy() function. The first
parameter given is the field upon which to group the data. In this
case, it's the http method
(e.g., GET,
PUT,
POST). The second parameter says
to use the function count() to count the number
occurrences for each method found.
groupby(field=method, function=count())
Figure 288, “Group Count” shows how this
query would be entered on the Search page for a repository — see
the highlighted text. It shows in the results a table with the column
headings, method and
_count, with the values for
each.
Chart of Daily Counts
Figure 289. count() Chart of Daily Counts
You can use the count() function in conjunction
with the timeChart() function to count the number
occurrences of events or other factors. By default, the
timeChart() function will aggregate the data by
day. The results will look something like what you see in the
screenshot shown in
Figure 289, “count() Chart of Daily Counts”.
timechart(function=count())Table of Daily Counts
Figure 290. Table of Daily Counts
When a user accesses a web site, the event is logged with a status
code. For instance, the status code
200 is returned when the request
is successful, and 404 when the
page is not found. To get a list of status codes returned and a count
of each for a given period, you would enter something like the
following in the query input box:
count(field=statuscode)
You can see an example of this query in
Figure 290, “Table of Daily Counts”. Notice
that in the results there is a table with the column headings
statuscode and
_count, and the values for each
status code in the rows below them.