Metrics Operators
The following table lists the metrics supported operators and provides examples of queries containing each type of operator.
Operator  Description and Syntax  Examples 

accum 
Converts each timeseries in the row to a series of running totals. The running total in each series starts from the value of the first data point in the series, then iteratively adds up successive values. For example, if RequestCount is:{ 2, 0, 4, 3, 0, 0 } RequestCount  accum is:{ 2, 2, 6, 9, 9, 9 } 
RequestCount  accum 
Calculates the average of all the resulting time series. If grouping is specified, it calculates the average for each group.avg [by FIELD [, FIELD, ...]] 
dep=prod metric=cpu_system  avg 

along 
For use when joining metric queries, results in the Sumo evaluating the summation expression by one or more metric fields. #A + #B along [FIELD (,FIELD, ...]] 
Given joined metric queries like this:metric=CPU_User _sourceHost=cqsplitter* The along operator causes the summation to be performed for time series whose _sourceHost value matches. 
bottomk 
Select the bottom specified time series sorted by the value of a mathematical expression evaluated over the query time range.bottomk (number, aggregator) Supported aggregate functions: min , max , avg , count , sum , pct(n) , latest 
Take the bottom 5 time series with the highest maximum value:dep=prod metric=cpu_system  bottomk (5, max) 
count 
Counts the total number of time series that match the query. If grouping is specified, it counts the total number for each group.count [by FIELD [, FIELD, ...]] 
dep=prod  count 
delta 
Computes the backward difference at each data point in the time series to determine how much the metric has changed from its last value in the series. This operator also assigns the value of the metric tag to be delta($metric) . 
metric=Net_InBytes Interface=eth0  delta 
eval 
Evaluates a time series based on a userspecified math expression.metrics query  eval <math expression> where math expression is a valid math expression with _value as the placeholder for each data point in the time series.Supported Basic operations: +, , *, / Supported Math functions: sin, cos, abs, log, round, ceil, floor, tan, exp, sqrt, min, max 
_sourceCategory=ApacheHttpServer metrics=request_per_sec  rate  eval max(_value, 0) _sourceCategory=ApacheHttpServer metrics=cpu_idle  eval _value * 100 
fillmissing 
Fills empty time slices in metric query results with a derived data point. You can choose between several methods of deriving a data point, or leave empty timeslices empty.metric query  fillmissing [using] <empty  interpolation  last  fixed> 
_sourceCategory=Labs/VMWare6.5/Metrics hostname=thisveryhost metric=cpu_ready  fillmissing interpolation 
filter 
Filters a query to help reduce the number of series returned by applying a boolean test to some aggregate quantity.filter <aggregator> <boolean operator> <numerical value> Supported aggregate functions: min , max , avg , count, sum , pct(n) , latest Note that when you use max as the aggregation function for filter , you must set an upper limit, as shown in the second example in the "Examples" column to the right. 
Show only cpu metrics whose average over the time range queried is greater than 80%cpu  filter avg > 80 Show only cpu metrics where the min is greater than 20% and the max less than 50% cpu  filter min > 20 and max < 50 
Calculates the maximum value of the time series that match the query. If grouping is specified, it calculates the maximum for each group.max [by FIELD [, FIELD, ...]] 
dep=prod metric=cpu_system  max 

min 
Calculates the minimum value of the time series that match the query. If grouping is specified, it calculates the minimum for each group.min [by FIELD [, FIELD, ...]] 
dep=prod metric=cpu_system  min 
outlier 
Identifies metrics data points that are outside the range of expected values.  _sourceCategory=hostmetrics _sourceHost=nxPTY  outlier 
parse 
Parses the given field to create new fields to use in the metrics query. If no field is specified while parsing Graphite metrics, the metric name is used. Each wildcard in the pattern corresponds to a specified field. The parse operator supports both lazy (shortest match) and greedy (longest match) wildcard matches. Use '*' for a lazy match, or '**' for a greedy match. parse [field=FIELD] PATTERN as FIELD [, FIELD, ...] 
dep=prod  parse *search* as deployment, instance 
pct 
Calculates the specified percentile of the metrics that match the query. If grouping is specified, it calculates the specified percentile for each group.pct(DOUBLE) [by FIELD [, FIELD, ...]] 
dep=prod metric=cpu_system  pct(95) 
quantize 
Segregates time series data by time period. This allows you to create aggregated results in buckets of fixed intervals (for example, 5minute intervals).quantize to INTERVAL [using ROLLUP] where ROLLUP is avg , min , max , sum or count .For information about quantization, see Metric Quantization. 
_sourceCategory=hostmetrics  quantize to 5m 
rate 
Computes a rate based on the forward difference at each time in the time series. The difference between the current and the next recorded value in a time series is scaled to a value per second. This operator also assigns the value of the metric tag to be rate($metric) and the value of the unit metadata field to be $unit/second .rate [increasing  decreasing] With the increasing (or decreasing) option, the operator considers only those pairs of consecutive points where the second point in the pair is greater (or less) than the first point. 
metric=Net_InBytes Interface=eth0  rate 
sum 
Calculates the sum of the metrics values that match the query. If grouping is specified, it calculates the sum for each group.sum [by FIELD [, FIELD, ...]] 
dep=prod metric=cpu_system  sum 
timeshift 
Shifts the time series from your metrics query by the specified amount of time. This can help when comparing a time series across multiple time periods.timeshift TIME_INTERVAL 
cluster=search metric=cpu_idle  timeshift 5h 
topk 
Select the top specified time series sorted by the value of a mathematical expression evaluated over the query time range.topk (number, aggregator) Supported aggregate functions: min, max, avg, count, sum, pct(n), latest 
Take the top 10 time series with the highest maximum value:metric=cpu_system  topk (10, max) Reduce each time series by calculating (max / avg * 2) for it. Sort by this reduced value and take the top 10 values: metric=cpu_system topk (10, max /avg * 2) 