The search expression decides which rows to consider for the aggregation. Having is used
to filter the groups after aggregation.
Say you count requests grouped by http.route. The chart comes back with 1000
series, including every health check, every random 404, every endpoint that served
three requests this week. Number of these endpoint don’t really matter because they
are not relevant in terms of number of requests.
This having filters away the low traffic and shows the endpoints with real traffic.
Other examples.
- Slow routes only:
p99(duration_nano) > 1000000000 more than 1s
- Adoption:
count_distinct(user.id) > 100 features that have more than 100
users adoption.
The search expression decides which rows to consider for the aggregation. Having is used
to filter the groups after aggregation.
Say you count requests grouped by
http.route. The chart comes back with 1000series, including every health check, every random 404, every endpoint that served
three requests this week. Number of these endpoint don’t really matter because they
are not relevant in terms of number of requests.
This having filters away the low traffic and shows the endpoints with real traffic.
Other examples.
p99(duration_nano) > 1000000000more than 1scount_distinct(user.id) > 100features that have more than 100users adoption.