Skip to main content

Match functions

Use these functions in the MATCH AGG clause to aggregate values across all rows that participated in a matched sequence. They only see events that were part of the match, not all events in the time window.

first(x)

Returns the value of an expression from the first event in a matched sequence.

Parameters

  • x - Expression to evaluate from the first matched event

Description

first() retrieves the value of the specified expression from the first event that participated in the match. Use it to access timestamps or field values from the beginning of a matched event sequence.

last(x)

Returns the value of an expression from the last event in a matched sequence.

Parameters

  • x - Expression to evaluate from the last matched event

Description

last() retrieves the value of the specified expression from the last event that participated in the match. Use it to measure durations, access final states, or extract values from the end of a matched event sequence.

count() / count(x)

Counts events in a matched sequence.

Parameters

  • x (optional) - Expression to count non-null values of

Description

When called with no arguments, count() returns the total number of events that participated in the matched sequence. When called with an expression, it counts only the matched rows where that expression is non-null.

sum(x)

Sums numeric values across a matched sequence.

Parameters

  • x - Numeric expression (int, long, float, or double)

Description

sum() computes the sum of a numeric expression across all events that participated in the match. Null values are ignored. The return type is always double.

avg(x)

Averages numeric values across a matched sequence.

Parameters

  • x - Numeric expression (int, long, float, or double)

Description

avg() computes the arithmetic mean of a numeric expression across all events that participated in the match. Null values are ignored. The return type is always double.

min(x)

Returns the minimum value across a matched sequence.

Parameters

  • x - Numeric, string, or timestamp expression

Description

min() returns the smallest value of the given expression across all events that participated in the match. For numeric values it returns the numerically smallest, for strings it uses lexicographic ordering, and for timestamps it returns the earliest. The return type matches the input type.

max(x)

Returns the maximum value across a matched sequence.

Parameters

  • x - Numeric, string, or timestamp expression

Description

max() returns the largest value of the given expression across all events that participated in the match. For numeric values it returns the numerically largest, for strings it uses lexicographic ordering, and for timestamps it returns the latest. The return type matches the input type.

array_agg(x)

Collects values from matched rows into an array.

Parameters

  • x - Expression of any type to collect

Description

array_agg() creates an array containing the values of the specified expression from all events that participated in the match. The elements appear in match order. The return type is array<T> where T is the input type.

count_distinct(x)

Counts distinct values across a matched sequence.

Parameters

  • x - Expression of any type to count distinct values of

Description

count_distinct() returns the number of distinct values of the given expression across all events that participated in the match. The return type is int.