Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Description
This operation returns the lowest value found in a data set.
How does it work in the search window?
You can use this operation in two different ways; as an Aggregation or Create field operation:
Aggregation: returns the lowest value found in a specified field for each grouping occurrence.
Create field: creates a field that shows the lowest of the values found in two or more numeric fields.
Aggregation
Note |
---|
Before being able to perform this operation, you have to group your data. Be aware that the fields used as arguments for the grouping operation will not be available to select as arguments for the aggregation operation. |
After grouping the data, select Aggregation in the search window toolbar, then select the Minimum operation. You need to specify one argument:
Argument | Data type | Description | ||
---|---|---|---|---|
Min of mandatory First of (alphabetical ordered) mandatory | integer, float string | When the selected argument is a number, the argument will be automatically transformed into Min of and will retrieve the lowest value found in the specified field for each grouping occurrence. When the selected argument is a string, the argument will be automatically transformed into First of (alphabetically ordered) and will retrieve the first of the alphabetically ordered values found in the specified field for each grouping occurrence.
|
...
Select Create field in the search window toolbar, then select the Minimum operation. You need to add at least two Any number arguments, but you can add as many as required.
Argument | Data type |
---|---|
Any number mandatory | integer, float |
Any number mandatory | integer, float |
The data type of the values in the new field is integer or float.
Example
Aggregation
...
In the demo.ecommerce.data
table, we want to get the lowest value of the bytesTransferred field in each 5-minute group. Before aggregating the data, the table must be grouped in 5-minute intervals. Then we will perform the aggregation using the Minimum operation.
The arguments needed for the Minimum operation are:
Min of → bytesTransferred field
...
Click Aggregate function and you will see the following result:
...
Aggregation 2
In the siem.logtrust.web.activity
table, we want to get the first alphabetical value of the city field in each 5-minute group. Before aggregating the data, the table must be grouped in 5-minute intervals. Then we will perform the aggregation using the Minimum operation.
The arguments needed for the Minimum operation are:
First of (alphabetically ordered) → city field
...
Click Aggregate function and you will see the following result:
...
Create field
In the demo.ecommerce.data
table, we want to get the lowest of the values found in either the bytesTransferred or timeTaken fields for each event. To do that, we will create a field using the Minimum operation.
The arguments needed for the Minimum operation are:
Any Number → bytesTransferred field
Any Number → timeTaken field
...
...
How does it work in LINQ?
Aggregation
Group your data using the following structure:
...
Then, use select
... as
... to add the new field that will show the aggregated values. This is the syntax for the Minimum operation:
min(numeric_field)
min(string_field)
See Build a query using LINQ to learn more about grouping and aggregating your data using the LINQ language.
Create field
Use select
... as
... to apply the Create field operation. This is the syntax for the Minimum operation:
min(numeric_field1, numeric_field2, numeric_field3...)
Info |
---|
Using this operation in Activeboards Be aware that using the create field version of this operation in Activeboards presents an important limitation: the number of arguments is limited to two. As a workaround, you can perform subsequent minimum operations until you have obtained the minimum of all the arguments you need. Visit this article for more syntax differences between the Search Window and Activeboards. Workaround example → |
Examples
You can copy the following LINQ scripts and try the examples above on the demo.ecommerce.data
and siem.logtrust.web.activity
tables:
Aggregation
...
Code Block |
---|
from demo.ecommerce.data
group every 5m
every 5m
select min(bytesTransferred) as bytesTransferred_min |
...
Code Block |
---|
from siem.logtrust.web.activity group every 5m every 5m select min(city) as city_min |
...