Select clause
A find statement that specifies the every keyword can specify a select clause to calculate an aggregate value in order to find data based on many sets of events.
Specify the
select keyword followed by a projection expression coassigned to an identifier. The projection expression contains aggregate function(s) that operate on one or more input events. See
Built-in aggregate functions as well as
Custom aggregates.
The projection expression can use coassignments from the pattern if the coassignments are within a single aggregate function call. For example, the following pattern computes the average value of the x member of event type A in the query's input and coassigns that average value to aax.
find every A as a select avg(a.x) as aax
A select clause can use parameter and key values.
In an aggregating find statement, only the projection expression can use the coassignments from the pattern. The procedural block of code can use projection coassignments and any parameters or key values, but it cannot use coassignments from the pattern.
In find statements without the every modifier, only the most recent set of events that match the pattern are used to invoke the procedural code block. With the every modifier, every set of events that matches the pattern is available for use by the aggregate function, provided that the latest event is present in one of the sets of events. Any events or combinations of events that do not match the pattern or do not match the where clause, or are invalidated due to a within or without clause, are ignored; their values are not used in the aggregate calculation.
Examples:
find every ATMWithdrawal as w
select last(w.transactionId) as tid
having last(w.amount) > THRESHOLD * avg(w.amount) {
route SuspiciousTransaction(tid);
}
find every A as a -> B as b
where b.x >= 2
select avg(a.x + b.x) as aabx {
print aabx.toString();
}
See
Aggregating event field values for explanations of these examples, as well as additional examples.