Add arg_min, arg_max #182
Add arg_min, arg_max #182
Conversation
|
Do we not have preview links for these? |
| The `arg_max` aggregation in APL helps you identify the record with the maximum value for a specific numeric field and return one or more additional fields from that record. Use `arg_max` when you want to determine key details associated with a record having the maximum value, such as the longest request duration, highest transaction amount, or most significant span duration. | ||
|
|
||
| This aggregation is particularly useful in scenarios like: | ||
|
|
||
| - Pinpointing the slowest HTTP requests in log data. | ||
| - Identifying the longest span durations in OpenTelemetry traces. | ||
| - Highlighting the highest severity security alerts in logs. |
There was a problem hiding this comment.
I think this mostly describes a max() aggregation and doesn't focus on the 'arg' part of it.
o1 makes it more clear imo:
- You group your data by one or more columns (using by in summarize).
- Within each group, Kusto finds the row where a particular expression (often a column) has the maximum value.
- It then returns specified columns from that “maximum” row.
There was a problem hiding this comment.
|
|
||
| <CodeGroup> | ||
| ```sql Splunk example | ||
| | stats max(req_duration_ms) as max_duration by id, uri |
There was a problem hiding this comment.
AFAIK splunk doesn't have an equivalent for arg_max, this is just
| summarize max(req_duration_ms) by id, uri
|
|
||
| ```kusto | ||
| ['sample-http-logs'] | ||
| | summarize arg_max(req_duration_ms, method) by uri |
There was a problem hiding this comment.
IMO a better example would be with swapped uri & method - ie arg_max(duration, uri) by method - which would return slowest paths for any given HTTP method.
Find the slowest HTTP request for each URI in the
['sample-http-logs']dataset.
that doesn't need arg_max, would be just summarize max(duration) by uri
There was a problem hiding this comment.
or perhaps replace the method with request_id (in the original), that also makes sense
|
|
||
| ```kusto | ||
| ['otel-demo-traces'] | ||
| | summarize arg_max(duration, span_id, trace_id) by ['service.name'] |
Preview:
https://axiom-mano-axm-373-document-arg_min-arg_max.mintlify.app/apl/aggregation-function/arg-min
https://axiom-mano-axm-373-document-arg_min-arg_max.mintlify.app/apl/aggregation-function/arg-max