How do I Use Time Window Functions?

When used with aggregating verbs, aggregate functions summarize many rows into one row.

Window functions are like aggregate functions, except they summarize previous and following rows into a scalar value, without changing the number of rows.

Any aggregate function can be turned into a window function by using make_col instead of the aggregate verb, and wrapping the aggregation in window().

Standard aggregation modifiers like group_by() and order_by() and frame() can be specified inside the window() which will make the function look at previous and successive rows to calculate the value.

Some special functions are only window functions, and cannot be used as aggregate functions. These include lead() and lag().

Example Using window() For Moving Average

// calculate moving average of value over last five minutes
make_col moving_average:window(avg(value), frame(back:5m))

Example Using window() to Find Next Event By Container

// calculate the time of next event for each container by name
make_col next_event_time:window(lead(timestamp), group_by(containerName))