Finds the smallest number for the specified field over a set of events.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscale Syntaxmin("value")
and:
logscale Syntaxmin(field="value")
These examples show basic structure only.
min()
Syntax Examples
Return what was the minimum responsetime:
min(responsetime)
Filter for events with a responsetime greater than 5 seconds:
min(responsetime)
| _min> 5
min()
Examples
Click
next to an example below to get the full details.Alert Query for Parsers Issues
Reporting errors
Query
#type=humio #kind=logs
| loglevel=WARN
| class = c.h.d.ParserLimitingJob
| "Setting reject ingest for"
| groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )
| timeDiff:=_max-_min
| timeDiff > 300000 and _count > 10
Introduction
This alert query tries to balance reacting when there are problems with parsers, without being too restrictive.
Step-by-Step
Starting with the source repository events.
- logscale
#type=humio #kind=logs
Filters on all logs across all hosts in the cluster.
- logscale
| loglevel=WARN
Filters for all events where the loglevel is equal to
WARN
. - logscale
| class = c.h.d.ParserLimitingJob
Assigns the value
c.h.d.ParserLimitingJob
to the class for the logs having the loglevel valueWARN
. - logscale
| "Setting reject ingest for"
Filters for events containing the string
Setting reject ingest for
. This is the error message generated when ingested events are rejected. - logscale
| groupBy(id, function=[count(), min(@timestamp), max(@timestamp)] )
Groups the returned result by the field id, makes a count on the events and returns the minimum timestamp and maximum timestamp. This returns a new event set, with the fields id, _count, _min, and _max.
- logscale
| timeDiff:=_max-_min
Calculates the time difference between the maximum timestamp values and the minimum timestamp values and returns the result in a new field named timeDiff.
- logscale
| timeDiff > 300000 and _count > 10
Returns all events where the values of timeDiff is greater that
300000
and where there are more than10
occurrences. Event Result set.
Summary and Results
This query is used to set up alerts for parsers issues. Setting up alerts for parsers issues will allow to proactively reach out to customers where their queries are being throttled and help them.
Calculate Minimum and Maximum Response Times
Calculate minimum and maximum response times using multiple aggregate functions in square brackets
Query
[min_response := min(responsetime), max_response := max(responsetime)]
Introduction
In this example, the min()
and
max()
functions are used to find the shortest and
longest response times, with results stored in named fields.
Square brackets allow multiple aggregations to be performed in a single operation
Writing a list of aggregators in square brackets is a shorthand syntax
for the stats()
function.
Example incoming data might look like this:
@timestamp | endpoint | responsetime | status_code |
---|---|---|---|
1686837825000 | /api/users | 145 | 200 |
1686837826000 | /api/products | 892 | 200 |
1686837827000 | /api/orders | 167 | 200 |
1686837828000 | /api/payment | 1290 | 500 |
1686837829000 | /api/users | 156 | 200 |
1686837830000 | /api/items | 78 | 200 |
1686837831000 | /api/orders | 934 | 200 |
1686837832000 | /api/checkout | 923 | 200 |
1686837833000 | /api/products | 134 | 200 |
1686837834000 | /api/users | 445 | 200 |
Step-by-Step
Starting with the source repository events.
- logscale
[min_response := min(responsetime), max_response := max(responsetime)]
In a single operation, calculates the minimum value from the responsetime field and returns the results in a field named min_response, and calculates the maximum value from the responsetime field and returns the results in a field named max_response.
Square brackets allow multiple aggregations to be performed in a single operation
Event Result set.
Summary and Results
The query is used to find the range of response times by calculating both the minimum and maximum values.
The results are returned in fields with names specified in the field assignments
This query is useful, for example, to monitor service performance, identify outliers in response times, or establish performance baselines.
Sample output from the incoming example data:
min_response | max_response |
---|---|
78 | 1290 |
Note that only one row is returned containing both calculated values.