# Pipeline Operations ### Overview Pipeline operations transform query results using the pipe operator `|`. Chain multiple operations together to filter, sort, limit, rename fields, and more. Operations are executed sequentially from left to right. ### Syntax ``` | | | ``` Each operation processes the output of the previous step. ### sort Order results by one or more fields. **Syntax:** ``` | sort by (field1 [asc|desc], field2 [asc|desc], ...) ``` **Single field:** ``` * | stats by (workload) count() as total | sort by (total desc) ``` **Multiple fields:** ``` * | stats by (workload) count() | sort by (workload asc, count desc) ``` ### limit Limit the number of results returned. **Syntax:** ``` | limit N ``` ``` * | limit 100 ``` ### offset Skip a number of results (for pagination). **Syntax:** ``` | offset N ``` ``` * | sort by (timestamp desc) | offset 20 | limit 10 ``` *Records 21-30 (page 3)* ### fields Select specific fields to include in results (similar to SQL SELECT). > **Note:** The `fields` pipe does not work with time-series visualizations. For time-series queries, all fields from the aggregation are included automatically. **Syntax:** ``` | fields field1, field2, field3, ... ``` ``` * | fields timestamp, level, message ``` ### rename Rename fields for clarity or compatibility. **Syntax:** ``` | rename old_name1 as new_name1, old_name2 as new_name2, ... ``` ``` * | rename aa as service_name, bb as region ``` ### format Format output strings using a template with field values. **Syntax:** ``` | format "template with and " ``` ``` * | format "request from : is sent" ``` ### uniq Get unique combinations of specified fields (similar to SQL DISTINCT + GROUP BY). **Syntax:** ``` | uniq (field1, field2, ...) [limit N] ``` ``` * | uniq (workload) ``` *Unique workloads* ### filter Apply additional filters after aggregations or transformations. **Syntax:** ``` | filter ``` **Aliases:** `| ` (implicit) ``` * | stats by (workload) count() as total | filter total:>1000 ``` *Workloads with more than 1000 logs* ### math Perform mathematical calculations on fields and create new calculated fields. **Syntax:** ``` | math ``` **Arithmetic Operators:** * `+` - Addition * `-` - Subtraction * `*` - Multiplication * `/` - Division * `%` - Modulo * `^` - Power **Functions:** * `max(a, b)` - Maximum of two values * `min(a, b)` - Minimum of two values * `abs(x)` - Absolute value * `exp(x)` - Exponential (e^x) * `ln(x)` - Natural logarithm * `round(x)` - Round to nearest integer * `ceil(x)` - Ceiling (round up) * `floor(x)` - Floor (round down) * `rand()` - Random number * `now()` - Current timestamp #### Basic Arithmetic ``` * | stats by (resource) count() requests, sum(errors) errors | math errors / requests error_rate ``` *Calculate error rate* #### Complex Expressions Operator precedence follows standard math rules (multiplication/division before addition/subtraction). ``` * | count() a, count_uniq(workload) b | math a / b - 3 result ``` *Expression with precedence: (a / b) - 3* ``` * | stats by (node) avg(cpu) cpu, avg(memory) mem | math cpu * 0.7 + mem * 0.3 health_score ``` *Weighted health score* #### With Functions ``` * | stats by (workload) avg(value) avg_val | math round(avg_val) rounded_value ``` *Round to integer* #### Chaining Math Operations ``` * | count() a, count_uniq(workload) b | math a / b ratio | math ratio * 100 percentage ``` *Chain multiple math operations* #### With Join ``` level:info | stats by (workload) count() info_count | join by (workload) (level:error | stats by (workload) count() error_count) | math error_count / info_count error_ratio ``` *Calculate ratio from joined data* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.groundcover.com/use-groundcover/querying-your-groundcover-data/groundcover-query-language/pipeline-operations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.