You can use aggregate functions on your log results to view the count of events, size of events, unique count of field names, and so on.

Procedure

  1. On the Explore Logs page, fetch your query search results for log events. For more information, see Search and Filter Logs.
  2. On the log chart, expand the Count of Events drop-down menu and select one of the following options:
    Option Description
    Count of events This is the default option, which shows the total count of log events over the selected time range.
    Size of events

    This option shows the size of log events over the selected time range.

    Note: If you select the Size of events option, and group the events by one or more fields such as appname, or hostname, you see the Show Top Contributors check box appear on the top-right corner of the chart.

    Select the check box to view the top contibutors by size based on the selected group by fields.
    Unique count of [field name] This option shows the number of unique instances for the selected field name.
    Numerical function for [field name]

    This is applicable only for numerical fields. You can select multiple numerical options such as Average, Maximum, and so on.

    For example, if you select the field process in the drop-down menu with the Average and Maximum options, the results display the average and maximum counts for the field process.
    Tip: You can use the over time drop-down menu to group the results of the aggregate functions. To learn more, see Group Logs During Search.