Aggregation Functions
Basic Aggregation Functions
Count
Counts the total number of events in the specified time window.
count timespan=5m
Output:
{
"padas": {
"count": 4
}
}
With field specification:
count(field1) timespan=5m
Output:
{
"padas": {
"count_field1": 4
}
}
With alias:
count AS my_count timespan=5m
Output:
{
"my_count": 4
}
Distinct Count
Counts unique values of the specified field.
distinct_count(field1) timespan=5m
Output:
{
"padas": {
"distinct_count_field1": 3
}
}
Alternative syntax:
dc(field1) timespan=5m
Statistical Aggregations
Average
Calculates the mean value of the specified field.
avg(numeric_field) timespan=5m
Output:
{
"padas": {
"avg_numeric_field": 42.5
}
}
Median
Calculates the median value of the specified field.
median(numeric_field) timespan=5m
Output:
{
"padas": {
"median_numeric_field": 40.0
}
}
Minimum
Finds the minimum value of the specified field.
min(numeric_field) timespan=5m
Output:
{
"padas": {
"min_numeric_field": 10.0
}
}
Maximum
Finds the maximum value of the specified field.
max(numeric_field) timespan=5m
Output:
{
"padas": {
"max_numeric_field": 100.0
}
}
Variance
Calculates the variance of the specified field.
variance(numeric_field) timespan=5m
Output:
{
"padas": {
"variance_numeric_field": 225.0
}
}
Standard Deviation
Calculates the standard deviation of the specified field.
stddev(numeric_field) timespan=5m
Output:
{
"padas": {
"stddev_numeric_field": 15.0
}
}
Notes
- All aggregation functions require a
timespanparameter - The output field names follow the pattern
{function}_{fieldname}when a field is specified - When using an alias with
AS, the output will use the specified alias name - All functions can be combined with
group_byandwhereclauses for more complex aggregations