Finds the smallest number for the specified field over a set of events.

ParameterTypeRequiredDefault ValueDescription
asstringoptional[a] _min Name of output field.
field[b]stringrequired   Field to extract a number from.
typestringoptional[a]   description

[a] Optional parameters use their default value unless explicitly set.

[b] The parameter name field can be omitted.

Hide omitted argument names for this function

Show omitted argument names for this function

min() Syntax Examples

Return what was the minimum responsetime:

logscale
min(responsetime)

Filter for events with a responsetime greater than 5 seconds:

logscale
min(responsetime)
| _min> 5

min()Examples

Click + next to an example below to get the full details.

Alert Query for Parsers Issues

Reporting errors

Query
logscale
#type=humio #kind=logs
| loglevel=WARN
| class = c.h.d.ParserLimitingJob
| "Setting reject ingest for"
| groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )
| timeDiff:=_max-_min
| timeDiff > 300000 and _count > 10
Introduction

This alert query tries to balance reacting when there are problems with parsers, without being too restrictive.

Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    #type=humio #kind=logs

    Filters on all logs across all hosts in the cluster.

  3. logscale
    | loglevel=WARN

    Filters for all events where the loglevel is equal to WARN.

  4. logscale
    | class = c.h.d.ParserLimitingJob

    Assigns the value c.h.d.ParserLimitingJob to the class for the logs having the loglevel value WARN.

  5. logscale
    | "Setting reject ingest for"

    Filters for events containing the string Setting reject ingest for. This is the error message generated when ingested events are rejected.

  6. logscale
    | groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )

    Groups the returned result by the field id, makes a count on the events and returns the minimum timestamp and maximum timestamp. This returns a new event set, with the fields id, _count, _min, and _max.

  7. logscale
    | timeDiff:=_max-_min

    Calculates the time difference between the maximum timestamp values and the minimum timestamp values and returns the result in a new field named timeDiff.

  8. logscale
    | timeDiff > 300000 and _count > 10

    Returns all events where the values of timeDiff is greater that 300000 and where there are more than 10 occurrences.

  9. Event Result set.

Summary and Results

This query is used to set up alerts for parsers issues. Setting up alerts for parsers issues will allow to proactively reach out to customers where their queries are being throttled and help them.

Calculate Minimum and Maximum Response Times

Calculate minimum and maximum response times using multiple aggregate functions in square brackets

Query
logscale
[min_response := min(responsetime), max_response := max(responsetime)]
Introduction

In this example, the min() and max() functions are used to find the shortest and longest response times, with results stored in named fields.

Square brackets allow multiple aggregations to be performed in a single operation

Writing a list of aggregators in square brackets is a shorthand syntax for the stats() function.

Example incoming data might look like this:

@timestampendpointresponsetimestatus_code
1686837825000/api/users145200
1686837826000/api/products892200
1686837827000/api/orders167200
1686837828000/api/payment1290500
1686837829000/api/users156200
1686837830000/api/items78200
1686837831000/api/orders934200
1686837832000/api/checkout923200
1686837833000/api/products134200
1686837834000/api/users445200
Step-by-Step
  1. Starting with the source repository events.

  2. logscale
    [min_response := min(responsetime), max_response := max(responsetime)]

    In a single operation, calculates the minimum value from the responsetime field and returns the results in a field named min_response, and calculates the maximum value from the responsetime field and returns the results in a field named max_response.

    Square brackets allow multiple aggregations to be performed in a single operation

  3. Event Result set.

Summary and Results

The query is used to find the range of response times by calculating both the minimum and maximum values.

The results are returned in fields with names specified in the field assignments

This query is useful, for example, to monitor service performance, identify outliers in response times, or establish performance baselines.

Sample output from the incoming example data:

min_responsemax_response
781290

Note that only one row is returned containing both calculated values.