Aggregator Functions provide many ways to customize signals aggregations. These functions execute a specified operation on data coming from source event fields and accumulate the new value in a target field of the aggregated result.
Functions are implemented in a aggregator job definition, as a list within the
aggregates property. Each function definition includes the function type, source fields, target fields, and additional parameters as needed for the function type. Specifically, each function takes the following properties (unless otherwise noted); additional parameters are noted in the function descriptions below.
type: the function type.
sourceFields: the list of fields from source events. Data will be retrieved from these fields as inputs to the function.
targetField: the name of the target field where the aggregated result will be stored.
params: any additional parameters for the specific function type, as described below.
The "sourceFields" and "targetField" field names in function specifications can be optionally prefixed with "event:" or "result:". If there are no prefixes the sourceFields take values from the current event being aggregated, and the targetField takes (or updates) the value in the current partial aggregated result. With these prefixes values can be processed and e.g. the original event can be updated, or event fields can be considered taking into account the accumulated values in the result.
Override default input field source:
Override default target field source: