Aggregation operators

Aggregation operators enable you to create log-based metrics. Log-based metrics help you cut through the noise of high-volume logs to identify trends and patterns in your application activity.

FuseQL groups aggregations by time buckets, and supports additional grouping dimensions.

Here is the comprehensive list of aggregation operators:

avg: Computes the average of numeric values.
count: Counts the total number of log lines.
count_unique: Counts only unique or distinct occurrences of the field.
first: Computes the first of numeric values.
last: Computes the last of numeric values.
max: Computes the maximum of numeric values.
min: Computes the minimum of numeric values.
percentiles: Computes the percentiles (p50, p75, p90, p95 or p99) of numeric values.
stddev: Computes the standard deviation of numeric or duration-valued facets.
stdvar: Computes the standard variance of numeric or duration-valued facets.
sum: Computes the sum of numeric or duration-valued facets.

Example Scenario

The examples below analyze log events from a query service that tracks alert query performance:

time="2025-12-16T18:06:04.267Z" level=info msg=Finished AlertName="High Memory Usage" request="map[end:[1765908360] query:[avg(kubernetes_memory_usage)] start:[1765908060]]" duration=1.085s

avg

Computes the average of numeric values.

Syntax

| avg(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Calculate the average query duration grouped by alert name and PromQL query:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| avg(durationMs) by AlertName, PromQL

count

Counts the total number of log lines.

Syntax

| count [by <field1>, <field2>, ...]

none

Example

Count the number of slow queries grouped by alert name and PromQL query:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| count by AlertName, PromQL

count_unique

Counts only unique or distinct occurrences of the field.

This operator can be applied on fingerprints, labels or string valued facets (facet value can be of string/UUID/IP address datatype).

Syntax

| count_unique(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Count the number of unique alert names for slow queries:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| count_unique(AlertName)

first

Computes the first of numeric values.

Syntax

| first(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Get the first query duration value for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| first(durationMs) by AlertName

last

Computes the last of numeric values.

Syntax

| last(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Get the last query duration value for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| last(durationMs) by AlertName

max

Computes the maximum of numeric values.

Syntax

| max(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Find the maximum query duration for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| max(durationMs) by AlertName

min

Computes the minimum of numeric values.

Syntax

| min(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Find the minimum query duration for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| min(durationMs) by AlertName

percentiles

Computes the percentiles (p50, p75, p90, p95 or p99) of numeric values.

Syntax

| p50(<field>) [as <alias>] [by <field1>, <field2>, ...]
| p75(<field>) [as <alias>] [by <field1>, <field2>, ...]
| p90(<field>) [as <alias>] [by <field1>, <field2>, ...]
| p95(<field>) [as <alias>] [by <field1>, <field2>, ...]
| p99(<field>) [as <alias>] [by <field1>, <field2>, ...]
| p84(<field>) [as <alias>] [by <field1>, <field2>, ...]
| p16(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Calculate the 95th percentile of query duration for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| p95(durationMs) by AlertName

stddev

Computes the standard deviation of numeric or duration-valued facets.

Syntax

| stddev(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Calculate the standard deviation of query duration for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| stddev(durationMs) by AlertName

stdvar

Computes the standard variance of numeric or duration-valued facets.

Syntax

| stdvar(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Calculate the standard variance of query duration for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| stdvar(durationMs) by AlertName

sum

Computes the sum of numeric or duration-valued facets.

Syntax

| sum(<field>) [as <alias>] [by <field1>, <field2>, ...]

none

Example

Calculate the total query duration for each alert name:

source="query-service" and org_id="pisco-shared"
| @AlertName as AlertName, @duration as duration
| toDuration(duration) as durationMs
| parse "query:[*] start:[" as PromQL
| where durationMs > 1000
| fields - duration
| sum(durationMs) by AlertName