Skip to main content
Sumo Logic

Metrics Operators

 

The following table lists the metrics supported operators and provides examples of queries containing each type of operator.

Operator Description and Syntax Examples

avg

Calculates the average of all the resulting time series. If grouping is specified, calculates the average for each group.

avg [by FIELD [, FIELD, ...]]

dep=prod metric=cpu_system | avg
cluster=search metric=cpu_idle | avg by node

count

Counts the total number of time series that match the query. If grouping is specified, counts the total number for each group.

count [by FIELD [, FIELD, ...]]

dep=prod | count
cluster=search | count by node

delta

Computes the backward difference at each data point in the time series to determine how much the metric has changed from its last value in the series.

This operator also assigns the value of the metric tag to be delta($metric).

delta

metric=Net_InBytes Interface=eth0 | delta

max

Calculates the maximum value of the time series that match the query. If grouping is specified, calculates the maximum for each group.

max [by FIELD [, FIELD, ...]]

dep=prod metric=cpu_system | max
cluster=search metric=cpu_idle | max by node

min

Calculates the minimum value of the time series that match the query. If grouping is specified, calculates the minimum for each group.

min [by FIELD [, FIELD, ...]]

dep=prod metric=cpu_system | min
cluster=search metric=cpu_idle | min by node

parse

Parses a string to identify fields to use in the metrics queries. Each * wildcard corresponds to a specified field.

parse [field=FIELD] PATTERN as FIELD [, FIELD, ...]

dep=prod | parse *-search-* as deployment, instance
cluster=frontend | parse field=user *-* as user_id, user_type

pct

Calculates the specified percentile of the metrics that match the query. If grouping is specified, calculates the specified percentile for each group.

pct(DOUBLE [, DOUBLE, ...]) [by FIELD [, FIELD, ...]]

dep=prod metric=cpu_system | pct(95, 75)
cluster=search metric=cpu_idle | pct(99.9) by node

quantize

Segregates time series data by time period. Allows you to create aggregated results in buckets of fixed intervals (for example, 5-minute intervals).

quantize to INTERVAL

_sourceCategory=hostmetrics | quantize to 5m 

rate

Computes a rate based on the forward difference at each time in the time series. The difference between the current and the next recorded value in a time series is scaled to a value per second.

This operator also assigns the value of the metric tag to berate($metric)and the value of the unit metadata field to be $unit/second.

rate

metric=Net_InBytes Interface=eth0 | rate

sum

Calculates the sum of the metrics values that match the query. If grouping is specified, calculates the sum for each group.

sum [by FIELD [, FIELD, ...]]

dep=prod metric=cpu_system | sum
cluster=search metric=cpu_idle | sum by node

timeshift

Shifts the time series from your metrics query by the specified amount of time. Can help when comparing a time series across multiple time periods

timeshift TIME_INTERVAL

cluster=search metric=cpu_idle | timeshift 5h
dep=prod metric=cpu_system | timeshift -1m