Events in a data table can easily be grouped to facilitate analysis. The result of grouping is a data table presenting all the different row value combinations of the grouped columns. Grouping is also required in order to subsequently apply aggregation operations on the data.
- Select the Group icon in the query window toolbar and the Operations Over Columns window appears with the Group option selected.
- Choose the time period you want to use to group the events and the arguments you want to use to define the groups.
- Select Group by. The result will be a row for each unique combination of arguments and time period. After grouping the data, you can repeat these steps to continue applying groups as many times as necessary.
There are two different types of grouping:
No time-based - Select No time-based grouping at the bottom of the Every field to get all the possible combinations of the columns added as arguments. In the following example, we have grouped the data using the Server and OperatingSystem columns as arguments to get all the possible combinations of operating systems and servers.
Be aware that the real-time data flow might interfere with this grouping option. Make sure you turn off the real-time data flow when grouping with a no time-based option, otherwise, it might not return any events.
- Temporal - You can include a time period when you group data in order to facilitate data analysis. Select the period you want to group by in the Every field. Note that the more columns you add as arguments in a temporal grouping, the less information you will extract, since the result will look more and more like the original table. This lets you see the different combinations of operating systems and IPs every 15 minutes.
applied search operations bar, each one indicating one of the grouping period types:In Devo, groupings use two different time periods to group the data. After grouping the data, you will see two different tabs in the
- Server grouping period - The first tab is the grouping period asked to the server. When you select a large period for your grouping, the server is requested to download a smaller interval, and is then recalculated to show the period you chose.
- Client grouping period - The second tab is the grouping period used by your browser and is the actual period you indicated in the grouping. Modifying this period does not request data to the server again, but only recalculates the groups locally.
For example, if you group data by three hours, Devo automatically sets the server grouping period to 30 minutes. Then, data is recalculated and grouped every three hours, which is the period you indicated in the query window.
To edit the period of a grouping, you can either click the pencil icon in the second tab of the grouping or click the gear icon of the toolbar and select Operations → Change client period.