multigroupby
Description
The multigroupby command concatenates the results from two or more groupby queries into a single dataset. It allows multiple aggregation queries to execute in one scan, improving efficiency and keeping grouped results synchronized.
Key benefits:
- Efficiency: Data is scanned only once across multiple groupings.
- Synchronization: Results remain coherent, avoiding mismatches between independently run groupby queries.
Note
The maximum number of buckets that multigroupby can process is 64.
Syntax
multigroupby (<grouping_expression_1> as <alias> [, <grouping_expression_2> as <alias_2>, ...])
[, (<grouping_expression_1> as <alias> [, <grouping_expression_2> as <alias_2>, ...]), ...]
[aggregate] <aggregation_expression> [as <result_keypath>] [, <aggregation_expression_2> [as <result_keypath_2>], ...]
Example 1
Use case: Compare subsystem-level and application-level counts in one query
With multigroupby, you can produce both detailed counts (e.g. per subsystem) and higher-level totals (e.g. per application) in a single scan. This avoids running two separate queries and ensures the results are synchronized.
Example data
{ "applicationname": "monitoring24", "subsystemname": "NO_SUBSYSTEM_NAME" },
{ "applicationname": "monitoring24", "subsystemname": "coralogix-opentelemetry-agent" },
{ "applicationname": "monitoring24", "subsystemname": "coralogix-opentelemetry-collector" },
{ "applicationname": "monitoring24", "subsystemname": "NO_SUBSYSTEM_NAME" },
{ "applicationname": "monitoring24", "subsystemname": "coralogix-opentelemetry-agent" }
Example query
source logs
| multigroupby ($l.applicationname as app, $l.subsystemname as ss), ($l.applicationname as app)
agg count()
| orderby app, ss
Example output
| app | ss | _count0 |
|---|---|---|
| monitoring24 | NO_SUBSYSTEM_NAME | 241 |
| monitoring24 | coralogix-opentelemetry-agent | 231 |
| monitoring24 | coralogix-opentelemetry-collector | 15 |
| monitoring24 | null | 487 |
The first three rows represent counts for each subsystem within the application. The final row shows the total count per application, where ss is null to indicate aggregation across all subsystems.
Example 2
Use case: Different aliases
If you use distinct aliases for each grouping, such as app1 and app2, the data remains separate but aligned:
Example query
source logs | multigroupby ($l.applicationname as app1, $l.subsystemname as ss), ($l.applicationname as app2) agg count()
Example output
{ "_count0": 241, "app1": "monitoring24", "app2": null, "ss": "coralogix-opentelemetry-agent" },
{ "_count0": 231, "app1": "monitoring24", "app2": null, "ss": "coralogix-opentelemetry-collector" },
{ "_count0": 15, "app1": "monitoring24", "app2": null, "ss": "no_subsystem_name" },
{ "_count0": 487, "app1": null, "app2": "monitoring24", "ss": null }
This approach clearly separates detailed and aggregate groupings while combining both results in one dataset.