groupBy() function for grouping by time.
This function produces a table, if a graph is a desired, please consider
This function divides the search time interval into buckets. Each event is put into a bucket based on its timestamp.
Events are grouped by their bucket, generating the field
_bucket. The value of
_bucket is the
corresponding bucket's start time in milliseconds (UTC time).
|number||false||Defines the number of buckets. The time span is defined by splitting the query time interval into this many buckets. 0..1500|
|string||false||Specifies which fields to group by. Note it is possible to group by multiple fields.|
|[Aggregate]||false||count(as=_count)||Specifies which aggregate functions to perform on each group. Default is to count the elements in each group.|
|number||false||10||Defines the maximum number of series to produce (defaults to 10). Max is 50. A warning is produced if this limit is exceeded, unless the parameter is specified explicitly.|
|string||false||Defines the time span for each bucket. The time span is defined as a relative-time-synxtax such as '1hour' or '3 weeks'. If not provided or set to 'auto' the search time interval, and thus the number of buckets, is determined dynamically.|
|string||false||auto||Defines the time span for each bucket. The time span is defined as a relative time modifier like |
|string||false||Defines the time zone for bucketing. This value overrides timeZoneOffsetMinutes which may be passed in the HTTP/JSON query API. For example, timezone=UTC or timezone='+02:00'.|
|[string]||false||Each value is a unit conversion for the given column. For instance: `bytes/span` to `Kbytes/day` converts a sum of bytes into Kb/day automatically taking the time span into account. If present, this array must be either length 1 (apply to all series) or have the same length as the function parameter. Default is no conversion. The documentation has a section on this conversion.|
Divides the search time interval into buckets. As time span is not specified, the search interval is divided into 127 buckets. Events in each bucket are counted:
Counts different http status codes over time and buckets them into time
intervals of 1 minute. Notice we group by two fields:
status code and the implicit field
bucket(1min, field=status_code, function=count())
Show response time percentiles over time. Calculate percentiles per minute (bucket time into 1 minute intervals):
bucket(span=60sec, function=percentile(field=responsetime, percentiles=[50, 75, 99, 99.9]))