Aggregation operators help aggregate log messages into groups. At a high level, FuseQL supports the following aggregation operators:
count all log lines
count_unique of labels or string-valued facets or fingerprints
statistical operations (
min
,max
,avg
,sum
,stddev
,stdvar
andpercentiles
) on numeric or duration facet valuesmisc aggregation operations (
first
andlast
).
Facet values have duration datatype if they follow go duration format. While applying any aggregation operators on these values, they are normalized to nanosecond float value.
All aggregations are performed after applying filters, if any, in the log search bar, and in a time range selected by the user in the time picker. All aggregations are grouped by time buckets, unless user specifies additional grouping from the by
dropdown.
count
Counts the total number of log lines.
count_unique
Counts only unique or distinct occurrences of the field. This operator can be applied on fingerprints, labels or string valued facets (facet value can be of string/UUID/IP address datatype).
avg
Computes the average value of numeric or duration valued facets.
sum
Computes the sum of numeric or duration valued facets.
min
Computes the min value of numeric or duration valued facets.
max
Computes the max value of numeric or duration valued facets.
first
Computes the first value of numeric or duration valued facets.
last
Computes the last value of numeric or duration valued facets.
percentiles
Computes the percentiles (p50, p75, p90, p95 and p99) of numeric or duration valued facets.
stddev
Computes the standard deviation of numeric or duration valued facets.
stdvar
Computes the standard variance of numeric or duration valued facets.