TIBCO LogLogic LMI - Can users aggregate 2 or more unit time with Aggregation Rules?

book

Article ID: KB0080108

calendar_today

Updated On:

Products	Versions
TIBCO LogLogic Log Management Intelligence	LMI 6.2.x

Description

In a scenario where users need to aggregate results by two or more time units (e.g. two days of first week of current month): can they use Aggregation Rules to achieve that ?

Issue/Introduction

If a user configures an aggregation rule setting one or more time units (i.e. days, weeks or months) can that aggregation rule be used to return time units aggregated (e.g. 2 days or 2 weeks, etc.) ?

Resolution

The answer is no. This is due to the way the Aggregation Rule will group result set if we specify a unit time (i.e. days). In this case, the new Aggregation Rule will return rows - regardless - grouped by that particular unit time (days in this case).

To achieve this users need to run a plain SQL/EQL query specifying aggregation unit time and unit quantities. For instance:

USE system | sys_eventTime in -2d | GROUP BY sys_collectIP

This query will return count messages grouped by source IP in last 2 days. Differently, the Aggregation Rule will add in to the GROUP BY statement the unit time as below:

USE system | GROUP BY sys_collectIP,days(sys_eventTime)

Which will return counts grouped by (single) day.

Feedback

thumb_up Yes

thumb_down No

Welcome to "KB Articles"