documentationmerge_events¶
Type of operation: Aggregate, Metadata
Description¶
Merge consecutive events into new events based on merge conditions. The ‘matchFirstRow’ condition must be true for any event that should start a new event rather than getting merged with the previous event.
If groupby is not specified, the default grouping will be used. The default grouping for merge_events is the set of primary key columns.
Usage¶
merge_events matchFirstRow [ , options ], aggregateExpression ... [ , order_by ] [ , groupby ]
Argument |
Type |
Required |
Multiple |
|---|---|---|---|
matchFirstRow |
expression |
Required |
Only one |
options |
options |
Optional |
Only one |
aggregateExpression |
expression |
Required |
Can be multiple |
order_by |
ordering |
Optional |
Only one |
groupby |
grouping |
Optional |
Only one |
Options¶
Option |
Type |
Meaning |
|---|---|---|
max_size |
int64 |
Maximum number of events merged into one event |
max_interval |
duration |
Maximum interval between events to be considered for merging |
Accelerable¶
merge_events is always accelerable if the input is accelerable. A dataset that only uses accelerable verbs can be accelerated, making queries on the dataset respond faster.
Examples¶
merge_events match_regex(message, /^[^\s]/), options(max_size: 10, max_interval: 10m), message:string_agg(message, "\n"), order_by(timestamp), group_by(component)
Merges log messages into groups where the first message of each group must start with a non-whitespace character and the size of each group cannot exceed 10 messages or 10 minutes in time.