How-To: Getting unsupported fields for collect()

When using the collect() function, the @timestamp, @id and _duration fields cannot be retrieved, especially when used as part of a groupBy(), series() or other aggregate function. This is because these aggregate functions may create their own versions or may summarize the information so that the corresponding field values are no longer available as part of the event set.

For example, when executing the following in the logscale repository:

logscale

groupBy(severity, function=series(collect=[@timestamp, class]))

To obtain the timestamp in this example, save the timestamp value before the aggregation and then collect the saved field value:

logscale

ts := @timestamp
| groupBy(severity, function=series(collect=[ts, class]))

Knowledge Base

How-To: Getting unsupported fields for collect()

Enter search term