Use Group By Sets in queries
This applies tov2.25
You can group by integer and string sets when building queries. Grouping by a set column will aggregate individual elements of sets across events in the query. Sets are assumed to be unordered and can be comprised of integers and strings.
Because event data can exist in multiple sets, the sum of the events of the set elements will be greater than the actual number of events.
To explain how Group By sets works, let's look at the following dataset where "fact" is a set of strings:
{"user_id": "mr_x", "time": "5/4/2016 8:00:00 AM", "fact": ["fact_a", "fact_b"], "action": "createFile"}
{"user_id": "mrs_y", "time": "5/4/2016 12:00:00 PM", "fact": ["fact_b", "fact_c", "fact_d"], "action": "createFile"}
{"user_id": "ms_z", "time": "5/4/2016 4:00:00 PM", "fact": ["fact_a", "fact_b", "fact_d"], "action": "createFile"}
Group by fact
If you do a Count Events and group by fact, you get the following results:
| Fact | Count Events |
|---|---|
| fact_c | 1 |
| fact_b | 3 |
| fact_a | 2 |
| fact_d | 2 |
Ordering by key
When you sort by the key of the set element, the data is returned in the following order:
| Fact | Count Events |
|---|---|
| fact_a | 2 |
| fact_b | 3 |
| fact_c | 1 |
| fact_d | 2 |
Ordering by value
When you sort by the value of the set elements, data is returned in the following order:
| Fact | Count Events |
|---|---|
| fact_b | 3 |
| fact_a | 2 |
| fact_d | 2 |
| fact_c | 1 |