The arg_min aggregation in APL allows you to identify the row in a dataset where an expression evaluates to the minimum value. You can use this to retrieve other associated fields in the same row, making it particularly useful for pinpointing details about the smallest value in large datasets. If you group your data, arg_min finds the row within each group where a particular expression evaluates to the minimum value.
This aggregation is particularly useful in scenarios like the following:
- Pinpoint the shortest HTTP requests in log data and retrieve associated details (like URL, status code, and user agent) for the same row.
- Identify the fastest span durations in OpenTelemetry traces with additional context (like span name, trace ID, and attributes) for the same row.
- Highlight the lowest severity security alerts in logs along with relevant metadata (such as alert type, source, and timestamp) for the same row.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
Splunk SPL doesn’t have an equivalent to arg_min. You can use stats with a combination of values and first clauses to evaluate the minimum value of a single numberic field. APL provides a dedicated arg_min aggregation that evaluates expressions.
['sample-http-logs']
| summarize arg_min(req_duration_ms, id, uri)In ANSI SQL, achieving similar functionality often requires a combination of MIN, GROUP BY, and JOIN to retrieve the associated fields. APL's arg_min eliminates the need for multiple steps by directly returning the row with the minimum value.
['sample-http-logs']
| summarize arg_min(req_duration_ms, id, uri)Usage
Syntax
| summarize arg_min(expression, field1, ..., fieldN)Parameters
expression: The expression to evaluate for the minimum value.field1, ..., fieldN: Additional fields to return from the row with the minimum value. Use*as a wildcard to return all fields from the row.
Returns
Returns a row where the expression evaluates to the minimum value for each group (or the entire dataset if no grouping is specified), containing the fields specified in the query.
Name fields
You can name fields in the parameters of arg_min using the syntax arg_min(name1=expression, name2=field1). This specifies the field names that appear in the output.
Query
['otel-demo-traces']
| summarize arg_min(duration, longestSpan=span_id), arg_min(numEvents=array_length(events), spanWithMostEvents=span_id)Output
| duration | longestSpan | numEvents | spanWithMostEvents |
|---|---|---|---|
| 190ns | 1a9f979bb25f6bbd | 1 | db13ffc3394905b5 |
Use case examples
You can use arg_min to identify the path with the shortest duration and its associated details for each method.
Query
['sample-http-logs']
| summarize arg_min(req_duration_ms, uri) by methodOutput
| req_duration_ms | uri | method |
|---|---|---|
| 0.1 | /api/login | POST |
This query identifies the paths with the shortest duration for each method and provides details about the path.
Use arg_min to find the span with the shortest duration for each service and retrieve its associated details.
Query
['otel-demo-traces']
| summarize arg_min(duration, trace_id, span_id, kind) by ['service.name']Output
| duration | trace_id | span_id | service.name | kind |
|---|---|---|---|---|
| 00:00:01 | abc123 | span456 | frontend | server |
This query identifies the span with the shortest duration for each service along with its metadata.
Find the lowest status code for each country in the ['sample-http-logs'] dataset.
Query
['sample-http-logs']
| summarize arg_min(toint(status), uri) by ['geo.country']Output
| geo.country | uri | status |
|---|---|---|
| USA | /admin | 200 |
| Canada | /dashboard | 201 |
This query identifies the URI with the lowest status code for each country.
List of related aggregations
- arg_max: Returns the row with the maximum value for a numeric field, useful for finding peak metrics.
- min: Returns only the minimum value of a numeric field without additional fields.
- percentile: Provides the value at a specific percentile of a numeric field.