rows_near() plugin

Finds rows near a specified condition.

The plugin is invoked with the evaluate operator.

Syntax

T | evaluate rows_near(Condition, NumRows, [, RowsAfter ])

Arguments

  • T: A serialized input tabular expression.
  • Condition: Boolean expression representing the condition to find rows around.
  • NumRows: The number of rows to find before and after the condition.
  • RowsAfter: (optional) when specified, overrides the number of rows to find after the condition.

Returns

Every row from the input that is within NumRows from a true Condition, When RowsAfter is specified, returns every row from the input that is NumRows before or RowsAfter after a true Condition.

Example

Find rows with an "Error" State, and returns 2 rows before and after the "Error" record.

datatable (Timestamp:datetime, Value:long, State:string )
[
    datetime(2021-06-01), 1, "Success",
    datetime(2021-06-02), 4, "Success",
    datetime(2021-06-03), 3, "Success",
    datetime(2021-06-04), 11, "Success",
    datetime(2021-06-05), 15, "Success",
    datetime(2021-06-06), 2, "Success",
    datetime(2021-06-07), 19, "Error",
    datetime(2021-06-08), 12, "Success",
    datetime(2021-06-09), 7, "Success",
    datetime(2021-06-10), 9, "Success",
    datetime(2021-06-11), 4, "Success",
    datetime(2021-06-12), 1, "Success",
]
| sort by Timestamp asc 
| evaluate rows_near(State == "Error", 2)
Timestamp Value State
2021-06-05 00:00:00.0000000 15 Success
2021-06-06 00:00:00.0000000 2 Success
2021-06-07 00:00:00.0000000 19 Error
2021-06-08 00:00:00.0000000 12 Success
2021-06-09 00:00:00.0000000 7 Success