Aggregation operators help aggregate log messages into groups. These groups can be user-defined or by default, they’re grouped over time. At a high level, FuseQL supports the following aggregation groups:
count all log lines
count_unique of labels or string-valued facets or fingerprints
statistical operations (
min
,max
,avg
,sum
,stddev
,stdvar
andpercentiles
) on numeric or duration facet valuesmisc aggregation operations (
first
andlast
).
Facet values can be duration datatype if they follow go duration format. While applying any aggregation operators on these values, they are normalized to nanosecond float value.
All aggregation operators are applied after applying filters, if any, in the log search bar, and in a time range selected by the user in the time picker.
count
Counts the total number of log lines in a given time range, along with any filters applied in log search.
count_unique
Counts only unique or distinct occurrences of the field. This operator can be applied on fingerprints, labels or string valued facets (facet value can be of string/UUID/IP address datatype).
avg
Computes the average value of numeric or duration valued facets within a group.
sum
Computes the sum of numeric or duration valued facets within a group.
min
Computes the min value of numeric or duration valued facets within a group.
max
Computes the max value of numeric or duration valued facets within a group.
first
Computes the first value of numeric or duration valued facets within a group.
last
Computes the last value of numeric or duration valued facets within a group.
percentiles
Computes the percentiles (p50, p75, p90, p95 and p99) of numeric or duration valued facets within a group.
stddev
Computes the standard deviation of numeric or duration valued facets within a group.
stdvar
Computes the standard variance of numeric or duration valued facets within a group.