multigroupby
Description
The multigroupby command concatenates the results from two or more
groupby queries into a single dataset. It allows multiple
aggregation queries to execute in one scan, improving efficiency and keeping
grouped results synchronized.
Key benefits:
- Efficiency: Data is scanned only once across multiple groupings.
- Synchronization: Results remain coherent, avoiding mismatches between independently run groupby queries.
The maximum number of buckets that multigroupby can process is 64.
Syntax
multigroupby (<grouping_expression_1> as <alias> [, <grouping_expression_2> as <alias_2>, ...])
[, (<grouping_expression_1> as <alias> [, <grouping_expression_2> as <alias_2>, ...]), ...]
[aggregate] <aggregation_expression> [as <result_keypath>] [, <aggregation_expression_2> [as <result_keypath_2>], ...]
Example 1
Use case: Compare subsystem-level and application-level counts in one query
With multigroupby, you can produce both detailed counts (e.g. per subsystem)
and higher-level totals (e.g. per application) in a single scan. This avoids
running two separate queries and ensures the results are synchronized.
Example data
{ "applicationname": "monitoring24", "subsystemname": "NO_SUBSYSTEM_NAME" },
{ "applicationname": "monitoring24", "subsystemname": "coralogix-opentelemetry-agent" },
{ "applicationname": "monitoring24", "subsystemname": "coralogix-opentelemetry-collector" },
{ "applicationname": "monitoring24", "subsystemname": "NO_SUBSYSTEM_NAME" },
{ "applicationname": "monitoring24", "subsystemname": "coralogix-opentelemetry-agent" }
Example query
source logs
| multigroupby ($l.applicationname as app, $l.subsystemname as ss), ($l.applicationname as app)
agg count()
| orderby app, ss
Example output
| app | ss | _count0 |
|---|---|---|
| monitoring24 | NO_SUBSYSTEM_NAME | 241 |
| monitoring24 | coralogix-opentelemetry-agent | 231 |
| monitoring24 | coralogix-opentelemetry-collector | 15 |
| monitoring24 | null | 487 |
The first three rows represent counts for each subsystem within the
application. The final row shows the total count per application, where ss
is null to indicate aggregation across all subsystems.
Example 2
Use case: Different aliases
If you use distinct aliases for each grouping, such as app1 and app2, the
data remains separate but aligned:
Example query
source logs | multigroupby ($l.applicationname as app1, $l.subsystemname as ss), ($l.applicationname as app2) agg count()
Example output
{ "_count0": 241, "app1": "monitoring24", "app2": null, "ss": "coralogix-opentelemetry-agent" },
{ "_count0": 231, "app1": "monitoring24", "app2": null, "ss": "coralogix-opentelemetry-collector" },
{ "_count0": 15, "app1": "monitoring24", "app2": null, "ss": "no_subsystem_name" },
{ "_count0": 487, "app1": null, "app2": "monitoring24", "ss": null }
This approach clearly separates detailed and aggregate groupings while combining both results in one dataset.