group_by

Description

Grouping/partitioning in which to process data. This establishes a grouping to use for aggregate verbs like timechart, establishes grouping for window functions when used inside the window() function, and also establishes a default grouping for window functions, when used at the top level of a verb.

Return type

any

Domain

This is a scalar function (calculates a single output value for a single input row.)

Categories

Usage

group_by( )

Examples

timechart 1m, count: count(1), group_by(clusterUid)

Computes the number of events for each cluster in every minute.

timechart 1m, count: count(1), group_by(clusterUid: tags.clusterUid)

First extract the tags.clusterUid field into clusterUid column, then computes the number of events for each cluster in every minute. Both clusterUid column and count column will be kept in the result.

timechart 1m, count: count(1), group_by(tags.clusterUid)

When an expression is specified without explicit column name, a derived column name to be used instead. In this case, clusterUid will be the derived column name, and the tags.clusterUid field will be extracted into the clusterUid column. Then it will compute the number of events for each cluster in every minute. Both clusterUid column and count column will be kept in the result.

make_col count:window(count(1), group_by(nodeName), frame(back:5m))

Each row will be given a new column count which contains a count of the number of rows with the same nodeName value within the last five minutes. For more information, see window() and frame().

make_col count:window(count(1), frame(back:5m), morecount:window(count(1), frame(back:1m)), group_by(nodeName))

Each row will be given a new column count which contains a count of the number of rows with the same nodeName value within the last five minutes, and a new column morecount which contains the same count looking back only one minute. The top-level group_by() establishes the grouping re-used by each of the inner window() functions. For more information, see window() and frame().

Aliases

groupby (deprecated)