Skip to main content
Sumo Logic

Group or Aggregate Operators

Aggregating functions evaluate messages and place them into groups. The group operator is used in conjunction with group-by functions.

When using any grouping function, the word by is sufficient for representing the group operator. The typical construction when using group-by functions is:

grouping_function by (fieldname)

Aggregating (group-by) functions include:

By default, the ordering is not defined inside of groups created using a group-by expression. To order your results, use the sort operator.

Group Operator

Syntax

  • ... | group-by_function (field_to_operate_on) group by (field_to_group_by)

You can use by instead of group by so count group by user is equivalent to count by user.

Rules

  • Cannot be used with the LogReduce operator.
  • When parsing and naming (aliasing) fields, avoid using the names of grouping functions or other operators as field names.
  • When using count, or any grouping function, remember to include the underscore before the field name (sort by _count).
  • An aggregation function cannot include another function, such as a math function, on the same line of a query.

For example, you cannot use:

... | avg(x + y) as average 

You would need to do that in two separate steps, such as:
... | x + y as z | avg(z) as average

In another example, you cannot use:

avg(abs_latency)/1000/60 as avg_latency_min

Instead, you would need to use:

avg(abs_latency_ms) as avg_latency_ms
| avg_latency_ms / 1000 / 60 as avg_latency_min

Examples

Sort by _count and limit to 10 results.

* | parse "GET * " as url 
| count by url 
| sort by _count 
| limit 10

Count by user.

status AND down 
| parse regex "user=(?<user>.*?)
| parse regex "host=(?<msg_host>.*?)
| count by user

Count by the Source IP address.

_sourceCategory=apache 
| parse "* " as src_ip
| parse "GET * as url
| count by src_ip
| sort by _count

Use multiple group operators in a line:

| count(field1), avg(field2) group by field1, _timeslice

All Sumo Logic system-generated fields begin with an underscore ( "_"). Group-by functions always create a Sumo Logic field named with a combination of an underscore (_) and the function name. Using the function count inserts a field into the pipeline called _count. The function count_distinct inserts a field into the pipeline called _count_distinct.