Versions Compared

Old Version 5

changes.mady.by.user Sarah Bigault

Saved on

compared with

New Version Current

changes.mady.by.user Sarah Bigault

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel1
typeflat

Description

This operation returns the lowest value found in a data set.

How does it work in the search window?

You can use this operation in two different ways; as an Aggregation or Create column field operation:

  • Aggregation: returns the lowest value found in a specified column field for each grouping occurrence.

  • Create columnfield: creates a column field that shows the lowest of the values found in two or more numeric columnsfields.

Aggregation

Note

Before being able to perform this operation, you have to group your data. Be aware that the columns fields used as arguments for the grouping operation will not be available to select as arguments for the aggregation operation.

After grouping the data, select Aggregation in the search window toolbar, then select the Minimum operation. You need to specify one argument:

Argument

Data type

Description

Min of mandatory

First of (alphabetical ordered) mandatory

integer, float

string

When the selected argument is a number, the argument will be automatically transformed into Min of and will retrieve the lowest value found in the specified column field for each grouping occurrence.

When the selected argument is a string, the argument will be automatically transformed into First of (alphabetically ordered) and will retrieve the first of the alphabetically ordered values found in the specified column field for each grouping occurrence.

Note

Be aware that if a string column field used as the argument contains null values, they will be considered when ordering alphabetically. Consequently, if the value retrieved is null, it does not mean the operation has failed, only that it is the first value found when ordering alphabetically.

The data type of the aggregated values is integer, float or string.

Create

...

field

Select Create column field in the search window toolbar, then select the Minimum operation. You need to add at least two Any number arguments, but you can add as many as required.

Argument

Data type

Any number mandatory

integer, float

Any number mandatory

integer, float

The data type of the values in the new column field is integer or float.

Example

Aggregation

...

In the demo.ecommerce.data table, we want to get the lowest value of the bytesTransferred column in each 5-minute group. Before aggregating the data, the table must be grouped in 5-minute intervals. Then we will perform the aggregation using the Minimum operation.

The arguments needed for the Minimum operation are:

  • Min of → bytesTransferred column

...

Click Aggregate function and you will see the following result:

...

Aggregation 2

In the siem.logtrust.web.activity table, we want to get the first alphabetical value of the city column field in each 5-minute group. Before aggregating the data, the table must be grouped in 5-minute intervals. Then we will perform the aggregation using the Minimum operation.

The arguments needed for the Minimum operation are:

  • First of (alphabetically ordered) → city column field

...

Click Aggregate function and you will see the following result:

...

Create

...

field

In the demosiem.logtrust.ecommerceweb.data activitytable, we want to get the lowest of the values found in either the  bytesTransferred or timeTaken columns responseTime or ContentLength fields for each event. To do that, we will create a column field using the Minimum operation.

The arguments needed for the Minimum operation are:

  • Any Number → bytesTransferred columnNumber → responseTime field

  • Any Number → timeTaken column

...

Click Create column and you will see the following result:

...

  • Number → ContentLength field

...

How does it work in LINQ?

Aggregation

Group your data using the following structure:

  • group every server period by column1period by field1, column2 field2...
    every client period

Then, use select... as...  to add the new column field that will show the aggregated values. This is the syntax for the Minimum operation:

  • min(numeric_columnfield)

  • min(string_columnfield)

See Build a query using LINQ to learn more about grouping and aggregating your data using the LINQ language.

Create

...

field

Use select... as...  to apply the Create columnfield operation. This is the syntax for the Minimum operation:

  • min(numeric_column1field1, numeric_column2field2, numeric_column3...)field3...)

Info

Using this operation in Activeboards

Be aware that using the create field version of this operation in Activeboards presents an important limitation: the number of arguments is limited to two.

As a workaround, you can perform subsequent minimum operations until you have obtained the minimum of all the arguments you need. Visit this article for more syntax differences between the Search Window and Activeboards.

Workaround example → select max(number1, number2) as A, max(A, number3) as B, max(B, number4) as C...

Examples

You can copy the following LINQ scripts and try the examples above on the demo.ecommerce.data and siem.logtrust.web.activity tables:

Aggregation 1

...

Aggregation

...

Code Block
from siem.logtrust.web.activity
  group every 5m
  every 5m
  select min(city) as city_min
Create

...

field
Code Block
from demosiem.logtrust.ecommerceweb.dataactivity
  select min(bytesTransferredcontentLength, timeTakenresponseLength) as min_bytescontent_timeresponse