Aggregating (group-by) functions evaluate messages and place them into groups. The group operator is used in conjunction with group-by functions.
Only search results that have been aggregated using a group or aggregate operator can be placed on a dashboard panel. See Chart Search Results for information about charting.
When using any grouping function, the word by is sufficient for representing the group operator. The typical construction when using group-by functions is:
grouping_function by <fieldname>
least_recent operators are not considered standalone operators; they are designed to only be used as an alternative to the first and last operators in Live Dashboards or any continuous query where first and last are not supported.
By default, the ordering is not defined inside of groups created using a group-by expression. To order your results, use the sort operator.
... | group_by_function <field_to_operate_on> group by <field_to_group_by>[, <field2>, ...]
You can use by instead of group by so
count group by user is equivalent to
count by user.
- Cannot be used with the LogReduce operator.
- When parsing and naming (aliasing) fields, avoid using the names of grouping functions or other operators as field names.
- When using count, or any grouping function, remember to include the underscore before the field name (sort by
- Multiple aggregation functions can be on the same line but you can't include another function, such as a math function, on the same line of a query.
For example, you can't use:
... | avg(x + y) as average, sum(x+y) as total
You would need to do that in two separate steps, such as:
... | x + y as z | avg(z) as average, sum(z) as total
In another example, you can't use:
avg(abs_latency)/1000/60 as avg_latency_min
Instead, you'd need to use two separate lines:
avg(abs_latency_ms) as avg_latency_ms
| avg_latency_ms / 1000 / 60 as avg_latency_min
* | parse "GET * " as url
| count by url
| sort by _count
| limit 10
status AND down
| parse regex "user=(\<use\>.*?)"
| parse regex "host=(\<msg_hos\>.*?)"
| count by user
| parse "* " as src_ip
| parse "GET *" as url
| count by src_ip
| sort by _count
| count(field1), avg(field2) group by field1, _timeslice
| max(amount) as amount_max, count(datetime) as datetime_count, sum(_size) as messages_size_sum, last(query) as last_query
All Sumo Logic system-generated fields begin with an underscore (
_). Group-by functions always create a Sumo Logic field named with a combination of an underscore (
_) and the function name. Using the function
count inserts a field into the pipeline called
_count. The function
count_distinct inserts a field into the pipeline called
In this section, we'll introduce the following concepts:
The averaging function (avg) calculates the average value of the numerical field being evaluated within the time range analyzed.
📄️ count, count_distinct, count_frequent
Aggregating (group-by) functions are used in conjunction with the group operator and a field name.
📄️ first, last
The first and last operators return the first or last result relative to the sort order. By default, searches return results in descending chronological order (most recent descending to oldest).
In order to calculate the median value for a particular field, you can utilize the percentile (pct) operator with a percentile argument of 50.
📄️ min, max
Use the min and max functions to find the smallest or largest value in a set of values.
📄️ most_recent, least_recent
The mostrecent and leastrecent operators, used with the withtime operator, are aggregate operators that allow you to select the most recent or least recent value within a group.
The pct operator finds the specified percentiles of a given field.
The percent sampling function, pctsampling, finds the percentile of a given field. Multiple pctsampling functions can be included in one query.
Finds the standard deviation value for a distribution of numerical
Sum adds the values of the numerical field being evaluated within the time range analyzed.
The values operator provides all the distinct values of a field. This allows you to quickly identify and understand all the values a field has in your data. Additionally, you have the option to group by other fields of interest.