Aggregation¶
Count¶
* | count()
event_id=1 | count()
Sum / Avg / Max / Min¶
* | sum(bytes)
* | avg(response_time)
* | max(bytes)
* | min(response_time)
Percentile and Standard Deviation¶
* | percentile(response_time)
* | stdDev(response_time)
Returns p50, p75, p99 for percentile().
Select First / Last¶
Return the value from the earliest or latest event in each group:
* | groupBy(user) | selectFirst(timestamp)
* | groupBy(user) | selectLast(status)
Multiple Aggregations with Stats¶
* | stats(count(), avg(response_time), sum(bytes))
Count with Named Parameters¶
* | groupby(user) | stats(count(field=event_id, distinct=true, as=unique_events))
* | groupby(user) | stats(count(field=event_id, as=total))
Use distinct=true for unique counts (uniqExact), and as= to name the output column.
Collect (groupArray)¶
* | groupby(user) | stats(collect(image))
Collects all values of a field into an array per group.
Top (Frequency Distribution)¶
* | groupby(user) | stats(top(field=event_id, percent=true, as=top_events))
Shows the top values with their frequency. Use percent=true to show percentages.
Group By¶
* | groupBy(image)
* | groupBy(image, user)
* | groupBy(image) | count()
* | groupBy(user) | sum(bytes)
groupBy() automatically adds a _count if no aggregation is specified.
Distinct Count with groupBy¶
* | groupBy(computer, function=count(field=user, distinct=true))
Stats with groupBy¶
* | groupBy(computer, function=stats(count(computer), count(user,distinct=true), sum(bytes)))