Aggregation Operators

Owned by Ashvin Kumaran
Last updated: Nov 12, 2024 by Vinay Krishnamurthy
3 min read

Aggregation operators help aggregate log messages into groups. FuseQL supports the following aggregation operators:

  • count all log lines or fingerprints.

  • count_unique of labels or string-valued facets.

  • statistical operations (min, max, avg, sum, stddev, stdvar and percentiles) on numeric or duration facet values.

  • misc aggregation operations (first and last).

Facet values have duration datatype if they follow go duration format. While applying any aggregation operators on these values, they are normalized to nanosecond float value.

All aggregations are performed after applying filters, if any, in the log search bar, and in a time range selected by the user in the time picker. All aggregations are grouped by time buckets, unless user specifies additional grouping from the by dropdown.

count

Counts the total number of log lines.

image-20241108-000457.png

count_unique

Counts only unique or distinct occurrences of the field. This operator can be applied on fingerprints, labels or string valued facets (facet value can be of string/UUID/IP address datatype).

image-20241108-000621.png

avg

Computes the average value of numeric or duration valued facets.

sum

Computes the sum of numeric or duration valued facets.

min

Computes the min value of numeric or duration valued facets.

max

Computes the max value of numeric or duration valued facets.

first

Computes the first value of numeric or duration valued facets.

last

Computes the last value of numeric or duration valued facets.

percentiles

Computes the percentiles (p50, p75, p90, p95 or p99) of numeric or duration valued facets.

stddev

Computes the standard deviation of numeric or duration valued facets.

stdvar

Computes the standard variance of numeric or duration valued facets.