Group By

Most recent version: v1.1.0

See the changelog of this Action type .

Overview

The Group By Action summarizes data by performing aggregations using keys and temporal keys (min, hour, or day).

AI Action Assistant

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Grouping configuration

Parameter

Description

Fields to group*

Lists the fields from the linked Listener or Action for you to choose from. Choose one or more fields to group by.

Grouping time*

Having defined which fields to group by, choose or create a Grouping time. You can write the amount and unit (seconds, minutes, hours, days), or select a common amount.

Aggregations

Parameter

Description

Aggregations*

Now you can add aggregation(s) to your grouping using the following operations:

average - calculates the average of the values of each grouping.
count - calculates the total occurrences for each grouping.
countNotNull - calculates the total occurrences for each grouping, excluding null values.
first - finds the first value found for each grouping. The first value will be the first in the workers' queue.
firstNotNull - finds the first not null value found for each grouping. The first value will be the first in the workers' queue.
ifthenelse - the operation will only be executed if the given conditions are met.
last - finds the last value found for each grouping. The last value will be the last in the workers' queue.
lastNotNull - finds the last not null value found for each grouping. The last value will be the last in the workers' queue.
max - finds the highest value found.
min - finds the lowest value found.
sum - calculates the total of the values for each grouping.

To add another aggregation, use the Add item option.

You can also use the arrow keys on your keyboard to navigate up and down the list.

Conditions

You can also carry out an advanced configuration by Grouping By Conditionals.

Use the Add Condition option to add conditions to your Aggregation.

Click Save to complete.

Example

In this example, we will use the Group By action to summarize a large amount of data, grouping by IP address every 5 minutes and aggregate the number of requests by type per IP address.

Raw data

Consider events with the following fields:

IP_Address
Request_Type
Timestamp

[
  {"IP_Address": "192.168.1.1", "Request_Type": "GET", "Timestamp": "2025-01-09T08:00:00Z"},
  {"IP_Address": "192.168.1.2", "Request_Type": "POST", "Timestamp": "2025-01-09T08:05:00Z"},
  {"IP_Address": "192.168.1.1", "Request_Type": "POST", "Timestamp": "2025-01-09T08:10:00Z"},
  {"IP_Address": "192.168.1.3", "Request_Type": "GET", "Timestamp": "2025-01-09T08:15:00Z"},
  {"IP_Address": "192.168.1.2", "Request_Type": "GET", "Timestamp": "2025-01-09T08:20:00Z"},
  {"IP_Address": "192.168.1.1", "Request_Type": "GET", "Timestamp": "2025-01-09T08:25:00Z"},
  {"IP_Address": "192.168.1.3", "Request_Type": "POST", "Timestamp": "2025-01-09T08:30:00Z"}
]

Group by

We add the Group By Action to the canvas and link it to the incoming data.

Group the logs by IP_Addressover a period of five minutes by selecting the field containing them in Fields to group and five minutes as the grouping time.

Aggregate

Aggregate the number of requests per IP address, broken down by request type (e.g., GET vs POST).

Operation: count
Field: Request_Type
Output field: count

Output

The Group By Action will emit the following results via the default output port:

{
  "aggregated_requests": [
    {
      "IP_Address": "192.168.1.1",
      "GET_Count": 2,
      "POST_Count": 1,
      "Total_Requests": 3
    },
    {
      "IP_Address": "192.168.1.2",
      "GET_Count": 1,
      "POST_Count": 1,
      "Total_Requests": 2
    },
    {
      "IP_Address": "192.168.1.3",
      "GET_Count": 1,
      "POST_Count": 1,
      "Total_Requests": 2
    }
  ]
}

You now have one event per grouping and aggregation match.

PreviousAccumulator NextAI

Last updated 1 month ago

Was this helpful?

Overview

The Group By Action summarizes data by performing aggregations using keys and temporal keys (min, hour, or day).

In order to configure this Action, you must first link it to a Listener. Go to to learn how to link.

AI Action Assistant

This Action has an AI-powered chat feature that can help you configure its parameters. Read more about it in .

Ports

These are the input and output ports of this Action:

Input ports

Default port - All the events to be processed by this Action enter through this port.

Output ports

Default port - Events are sent through this port if no error occurs while processing them.
Error port - Events are sent through this port if an error occurs while processing them.

Configuration

Find Group By in the Actions tab (under the Aggregation group) and drag it onto the canvas. Link it to the required and .

To open the configuration, click the Action in the canvas and select Configuration.

Enter the required parameters:

Grouping configuration

Parameter

Description

Fields to group*

Lists the fields from the linked Listener or Action for you to choose from. Choose one or more fields to group by.

Grouping time*

Having defined which fields to group by, choose or create a Grouping time. You can write the amount and unit (seconds, minutes, hours, days), or select a common amount.

Aggregations

Parameter

Description

Aggregations*

Now you can add aggregation(s) to your grouping using the following operations:

average - calculates the average of the values of each grouping.
count - calculates the total occurrences for each grouping.
countNotNull - calculates the total occurrences for each grouping, excluding null values.
first - finds the first value found for each grouping. The first value will be the first in the workers' queue.
firstNotNull - finds the first not null value found for each grouping. The first value will be the first in the workers' queue.
ifthenelse - the operation will only be executed if the given conditions are met.
last - finds the last value found for each grouping. The last value will be the last in the workers' queue.
lastNotNull - finds the last not null value found for each grouping. The last value will be the last in the workers' queue.
max - finds the highest value found.
min - finds the lowest value found.
sum - calculates the total of the values for each grouping.

To add another aggregation, use the Add item option.

You can also use the arrow keys on your keyboard to navigate up and down the list.

Conditions

You can also carry out an advanced configuration by Grouping By Conditionals.

Use the Add Condition option to add conditions to your Aggregation.

Click Save to complete.

Example

In this example, we will use the Group By action to summarize a large amount of data, grouping by IP address every 5 minutes and aggregate the number of requests by type per IP address.

Raw data

Consider events with the following fields:

IP_Address
Request_Type
Timestamp

[
  {"IP_Address": "192.168.1.1", "Request_Type": "GET", "Timestamp": "2025-01-09T08:00:00Z"},
  {"IP_Address": "192.168.1.2", "Request_Type": "POST", "Timestamp": "2025-01-09T08:05:00Z"},
  {"IP_Address": "192.168.1.1", "Request_Type": "POST", "Timestamp": "2025-01-09T08:10:00Z"},
  {"IP_Address": "192.168.1.3", "Request_Type": "GET", "Timestamp": "2025-01-09T08:15:00Z"},
  {"IP_Address": "192.168.1.2", "Request_Type": "GET", "Timestamp": "2025-01-09T08:20:00Z"},
  {"IP_Address": "192.168.1.1", "Request_Type": "GET", "Timestamp": "2025-01-09T08:25:00Z"},
  {"IP_Address": "192.168.1.3", "Request_Type": "POST", "Timestamp": "2025-01-09T08:30:00Z"}
]

Group by

We add the Group By Action to the canvas and link it to the incoming data.

Group the logs by IP_Addressover a period of five minutes by selecting the field containing them in Fields to group and five minutes as the grouping time.

Aggregate

Aggregate the number of requests per IP address, broken down by request type (e.g., GET vs POST).

Operation: count
Field: Request_Type
Output field: count

Output

The Group By Action will emit the following results via the default output port:

{
  "aggregated_requests": [
    {
      "IP_Address": "192.168.1.1",
      "GET_Count": 2,
      "POST_Count": 1,
      "Total_Requests": 3
    },
    {
      "IP_Address": "192.168.1.2",
      "GET_Count": 1,
      "POST_Count": 1,
      "Total_Requests": 2
    },
    {
      "IP_Address": "192.168.1.3",
      "GET_Count": 1,
      "POST_Count": 1,
      "Total_Requests": 2
    }
  ]
}

You now have one event per grouping and aggregation match.