Learn about the query syntax, operators, and functions supported by Wavefront Query Language.

The Wavefront Query Language allows you to extract the information you need from time series data. You use the query language for queries that display in charts and for alerts. This page is a complete reference to all query language elements and functions. You can click most functions for a page with details and examples. For some background information, see:

Query Elements

Term Definition
metric The name of a metric. For example: cpu.load.metric
source Source (usually host) that emitted the metric. Specify source names with the keyword source. For example:
source=appServer15
source tag A type of source metadata. Specify source tags with the keyword tag. For example:
tag=app.*
point tag A type of custom metric metadata. Point tags have keys and values. For example:
region=us-west-2b
timeWindow A measure of time, expressed as an integer number of units. You can specify:
  • Seconds, minutes, hours, days or weeks (1s, 1m, 1h, 1d, 1w). For example, 3h specifies 3 hours.
  • Time relative to the window length of the chart you are currently looking at (1vw). If you are looking at a 30 minute window, 1vw is one view-window length, and therefore equivalent to 30m.
  • Time relative to the bucket size of the chart (1bw). Wavefront calculates bucket size based on the view window length and screen resolution. You can see bucket size at the bottom left of each chart.
The default unit is minutes if the unit is not specified.
expression An expression consisting of a ts() expression, constant, or combination of ts() expressions and constants. See Expressions.

See Organizing with Tags for information on the different types of tags and how to use them.

Note: Do not use names of functions such as default or sum or other query language elements to name a metric, source, source tag, point tag, or point tag value. If you must, surround the element with double quotes. For example, if you’re using a point tag named default, use "default".

Expressions

An expression may be a ts() expression, a constant, or an arithmetic or Boolean combination of a ts() expressions and constants.

Term Definition
ts() expression Returns all points that match a metric name, filtered by source names, alert names, source tags, alert tags, and point tags.
  • Syntax:
    ts(<metricName>,
      [source=<sourceName>] [and|or]
      [tag=<sourceTagName>] [and|or]
      [<pointTagKey1>=<pointTagValue1>[and|or] ... <pointTagKeyN>=<pointTagValueN>])
    
  • For metric, source, source tag, and point tag naming conventions, see Wavefront Data Format.
  • Sources, source tags, alert names, alert tags, and point tags are optional. For example, to return points from all sources sending the my.metric metric, specify ts(my.metric).
constant A number such as 5.01, 10000, or 40. Constants can be plotted by themselves and composed in expressions using arithmetic operators.
  • You can use SI prefixes(k, M, G, T, P, E, Z, Y) to scale constants by multiples of 1000. G (billion) and T (trillion) are useful when working with network and I/O metrics.
  • Example. Typing 1M is equivalent to typing 1000000
  • Example. Typing 7.2k is equivalent to typing 7200
wildcard Matches strings in metric names, source names, alert names, source tags, alert tags, and point tags.
  • A wildcard is represented with a "*" character. Wavefront supports no other wildcard characters.
  • Example. When filtering sources, match all sources starting with "app-1" (namely, app-10, app-11, app-12, and so on):
    source=app-1*
  • Example. When filtering point tags, match the time series that have <pointTagKey> with any value, and filter out any time series without <pointTagKey>:
    <pointTagKey>="*"
  • Example. When filtering point tags, find any time series that do not have the specified point tag.
    not <pointTagKey>="*"

Operators

All operations between expressions are subject to the matching processes described in Series Matching​. The result is always interpolated.

  • Boolean operators - combine ts() expressions and constants and the filtering performed by source names, alert names, source tags, alert tags, and point tags.
    • and: Returns 1 if both arguments are nonzero. Otherwise, returns 0.
    • or: Returns 1 if at least one argument is nonzero. Otherwise, returns 0.
    • not: Use this operator to exclude a source, tag, or metric. See the examples below.
    • [and], [or]: Perform strict ‘inner join’ versions of the Boolean operators. Strict operators match metric|source|point tag combinations on both sides of the operator and filter out unmatched combinations.
  • Arithmetic operators
    • +, -, *, /: Match metric, source, and point tag combinations on both sides of an expression. If either side of the expression is a ‘singleton’ – that is, a single metric, source, or point tag combination–it automatically matches up with every element on the other side of the expression.
    • [+], [-], [*], [/]: Perform strict ‘inner join’ versions of the arithmetic operators. Strict operators match metric|source|point tag combinations on both sides of the operator and filter out unmatched combinations.
  • Comparison operators
    • <, <=, >, >=, !=, =: Returns 1 if the condition is true. Otherwise returns 0. Double equals (==) is not a supported Wavefront operator.
    • [<], [<=], [>], [>=], [=], [!=]: Perform strict ‘inner join’ versions of the comparison operators. Strict operators match metric|source|point tag combinations on both sides of the operator and filter out unmatched combinations.
  • Examples
    • (ts(my.metric) > 10) and (ts(my.metric) < 20) returns 1 if my.metric is between 10 and 20. Otherwise, returns 0.
    • ts(cpu.load.1m, tag=prod and tag=db) returns cpu.load.1m for all sources tagged with both prod and db.
    • ts(db.query.rate, tag=db and not source=db5.wavefront.com) returns db.query.rate for all sources tagged with db, except for the db5.wavefront.com source.
    • ts("smp-fax*.count" and not "smp-fax*.metrics.wavefront.", source="-eq*" returns all metrics that match "smp-fax*.count" except for those matching "smp-fax*.metrics.wavefront.*" for any sources that start with -eq.

Tags in Queries

Tags can help you organize your data and filter them, either in the UI or in a query. Here’s an overview. See Organizing with Tags for details.

  • Source tags allow you to group sources. For example, if you have two sources, appServer15 and appServer16 you can add the source tag app to both sources to specify that both are app servers. You can then query ts(cpu.load.metric, tag=app) instead of ts(cpu.load.metric, source=appServer15 or source=appServer16)
  • Point tags are an additional way to describe metrics. For example, assume your data include the point tag region with value us-west-2a and us-west-2b.
  • Alert tags allow you to group alerts.

Variables in Queries

We support variables in several ways:

  • A query line variable allows you to refer to a query line as a variable in another query field within the same chart. The query line variable name is the same as the query line name and is referenced in another query field with the syntax ${queryLineName}. For example, if you have a query line named queryLine1 with ts(requests.latency) as the expression, you can enter ${queryLine1} in a another query field to reference ts(requests.latency). The query line being referenced must be a complete expression. If a query line variable and dashboard variable have the same name, the query line variable overrides the dashboard variable.
  • An alias defines any ts() expression as an alias within that single query line using a SQL-style “as” expression. The syntax of an alias is: expression as <aliasName>. If you specify expression as myAlias, you reference the alias as $myAlias. You can use $myAlias multiple times in that query line, and define multiple aliases within a query line.
    • Use names that are three letters or longer.
    • You can’t use the SI prefixes (such as k, G, or T) as alias names.
    • Numeric characters are allowed only at the end of the alias name ($test123 is ok, but $1test or $test4test is not).
  • A dashboard variable can be used within any query line in every chart contained in a specific dashboard. A dashboard variable can replace any string of text–in contrast, a query line variable and alias must be a complete expression. If you define dashvar in a dashboard, you refer to ${dashvar} within any query line. You can use aliases, query line variables, and dashboard variables in the same query line. You can even use the same variable name for a dashboard and an alias (though we don’t recommend it). See Dashboard Variables.

Aggregation Functions

Aggregation functions are a way to combine (aggregate) multiple time series into a single result series. Wavefront provides two types of aggregation functions differ in how they handle data points that do not line up:

  • Standard aggregation functions interpolate values wherever necessary in each input series. Then the aggregation function itself is applied to the interpolated series.
  • Raw aggregation functions do not interpolate the underlying series before aggregation.

All aggregation functions provide parameters for filtering the set of input series, as well as ‘group by’ parameters for returning separate results for groups of input series that share common metric names, source names, source tags, point tags, and point-tag values.

Function Definition
sum(<expression> [,metrics|sources|sourceTags|pointTags|<pointTagKey> ]) Returns the sum of the time series described by expression. The results might be computed from real reported values and interpolated values.
rawsum(<expression> [,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the raw sum of the time series described by expression. The results are computed from real reported data values only, with no interpolated values.
avg(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the average (mean) of the time series described by expression. The results might be computed from real reported values and interpolated values.
rawavg(<expression> [,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the raw average (mean) of the time series described by expression. The results are computed from real reported data values only, with no interpolated values.
min(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the lowest value across the time series described by expression. The results might be computed from real reported values and interpolated values.
rawmin(<expression>[, metrics|sources| sourceTags|pointTags|<pointTagKey>]) Returns the lowest value across the time series described by expression. The results are computed from real reported data values only, with no interpolated values.
max(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the highest value across the time series described by expression. The results might be computed from real reported values and interpolated values.
rawmax(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the highest value across the time series described by expression. The results are computed from real reported data values only, with no interpolated values.
count(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the number of reporting time series described by expression, where a time series is counted as reporting even if it has interpolated values.
rawcount(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the number of reporting time series described by expression, where a time series is counted as reporting at a given moment only if it has a real data value, instead of an interpolated value.
variance(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the variance based on the time series described by expression. The results might be computed from real reported values and interpolated values.
rawvariance(<expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the variance across the time series described by expression. The results are computed from real reported data values only, with no interpolated values.
percentile(<percentage><expression>[,metrics|sources|sourceTags|pointTags|<pointTagKey>]) Returns the estimated percentile for the specified percentage, across the time series described by expression. The results might be computed from real reported values and interpolated values.
rawpercentile(<percentage>,<expression>[ ,metrics|sources| sourceTags|pointTags|<pointTagKey>]) Returns the estimated percentile for the specified percentage, across the time series described by expression. The results are computed from real reported data values only, with no interpolated values.

Filtering and Comparison Functions

Function Definition
highpass(<expression1>, <expression2>[, inner]) Returns only the points in expression2 that are above expression1. expression1 can be a constant.
lowpass(<expression1>, <expression2>[, inner]) Returns only the points in expression2 that are below expression1. expression1 can be a constant.
min(<expression1>, <expression2>) Returns the lower of the two values in expression1 and expression2. For example: min(160, ts(my.metric)) returns 160 if my.metric is > 160. If my.metric is < 160, returns the value of my.metric.
max(<expression1>, <expression2>) Returns the higher of the two values in expression1 and expression2. For example: max(160, ts(my.metric)) returns 160 if my.metric is < 160. If my.metric is > 160, returns the value of my.metric.
between(<expression>, <lower>, <upper>) Returns 1 if expression is >= lower and <= upper. Otherwise, returns 0. This function outputs continuous time series.
downsample(<timeWindow>, <expression>) Returns the values in expression that occur in each time window. For example: downsample(30m, ts(my.metric)) returns the values of my.metric every half hour.
align(<timeWindow>,[mean|median|min|max|first|last|sum|count,] <expression>) Groups the data values of a time series into buckets of size timeWindow, and returns one displayed value per bucket. Each returned value is the result of combining the data values in a bucket using the specified summarization method.
topk(<numberOfTimeSeries>, [mean|median|min|max|sum|count, [<timeWindow>,]] <expression>) Returns the top numberOfTimeSeries series described by expression. Ranking for a series is based on its last displayed data value or on data values summarized over a time window.
bottomk(<numberOfTimeSeries>, [mean|median|min|max|sum|count, [<timeWindow>,]] <expression>) Returns the bottom numberOfTimeSeries series described by expression. Ranking for a series is based on its last displayed data value or on data values summarized over a time window.
top(<numberOfTimeSeries>, [mean|median|min|max|sum|count, [<timeWindow>,]] <expression>) Returns 1 for the top numberOfTimeSeries series described by expression, and 0 for the remaining series. Ranking for a series is based on its last displayed data value or on data values summarized over a time window.
bottom(<numberOfTimeSeries>, [mean|median|min|max|sum|count, [<timeWindow>,]] <expression>) Returns 1 for the bottom numberOfTimeSeries series described by expression, and 0 for the remaining series. Ranking for a series is based on its last displayed data value or on data values summarized over a time window.
filter(<expression> [, <metric>|source=|tagk=]) Retains only the time series in expression that match the specified metric, source, or point tag. No key is required to filter a time series. filter() is similar to retainSeries(), but does not support matching a source tag.
retainSeries(<expression> [, <metric>|source=|tag=|tagk=]) Retains only the time series in expression that match the specified metric, source, source tag, or point tag. No key is required to retain a time series.
removeSeries(<expression> [, <metric>|source=|tag=|tagk=]) Suppresses any time series in expression that matches the specified metric, source, source tag, or point tag. No key is required to remove a time series.
sample(<numberOfTimeSeries>, <expression>) Returns a non-random sample set of numberOfTimeSeries time series based on expression. Repeated calls display the same sample set as long as the underlying set of time series stays the same.
random(<numberOfTimeSeries>, <expression>) Returns a random set of numberOfTimeSeries time series based on expression. Repeated calls always display different sample sets.
limit(<numberOfTimeSeries>[, <offsetNumber>], <expression>) Returns numberOfTimeSeries time series. Use the optional offsetNumber to specify an index to start with.
hideBefore(<timeWindow>, <expression>) Hides data before a specified time. For example, hideBefore(10m) hides data that’s older than 10 minutes.
hideAfter(<timeWindow>, <expression>) Hides data after a specified time. For example, hideAfter(10m) hides data that’s newer than 10 minutes ago.

Standard Time Functions

Function Definition
rate([<timeWindow>], <expression>) Returns the per-second change of the time series described by expression. Recommended for counter metrics that report only increasing data values over regular time intervals. Handles counter resets.
deriv(<expression>) Returns the per-second change of the time series described by expression. Appropriate for metrics that report increasing or decreasing data values.
ratediff(<expression>) Returns the differences between adjacent values in each time series described by expression. Recommended for counter metrics that report only increasing data values over irregular time intervals. Handles counter resets.
lag(<timeWindow>, <expression>) Returns earlier data values from the time series described by expression, time-shifting the values by timeWindow to enable you to compare a time series with its own past behavior.
lead(<timeWindow>, <expression>) Returns later data values from the time series described by expression, time-shifting the values by timeWindow to enable you to compare a time series with its own subsequent or forecasted behavior.
at(<timeWindow>, <expression>) Returns a data value reported at a particular time by the time series described by expression. The returned value is displayed continuously across the chart, so you can use it as a reference value for comparing against other queries.
year(<timezone>) Returns the year in the specified time zone. Years are returned as 4-digit numbers in the Gregorian calendar.
month(<timezone>) Returns the month of the year in the specified time zone. Months are returned as whole numbers from 1 (January) through 12 (December).
dayOfYear(<timezone>) Returns the day of the year in the specified time zone. Days of the year are returned as whole numbers from 1 to 366.
day(<timezone>) Returns the day of the month in the specified time zone. Days of the month are returned as whole numbers from 1 to 31.
weekday(<timezone>) Returns the day of the week in the specified time zone. Days of the week are returned as whole numbers from 1 (Monday) to 7 (Sunday).
hour(<timezone>) Returns the hour within the day in the specified time zone. Hours are returned as decimal values from 0.0 to 24.0.
isToday(<timezone>) Tests for the current day in the specified time zone. Return values are 1 for times during the current day, or 0 for times before or after today.
timestamp(<expression>) Returns the timestamps associated with the reported data values in the time series described by expression.
time() Returns the epoch seconds representing each point in time.

Moving Window Time Functions

Moving window time functions allow you to calculate continuous aggregation over sliding windows. For further information, see Using Moving and Tumbling Windows to Highlight Trends.

These functions output continuous time series, with the exception of integral().

Function Definition
mavg(<timeWindow>, <expression>) Returns the moving average of each series for the specified time window.
msum(<timeWindow>, <expression>) Returns the moving sum of each series for the specified time window. Don't confuse this function with mcount(), which returns the number of data points.
mmedian(<timeWindow>, <expression>) Returns the moving median of each series for the specified time window.
mvar(<timeWindow>, <expression>) Returns the moving variance of each series for the specified time window.
mcount(<timeWindow>, <expression>) Returns the number of data points reported by each time series over the specified time window.
mmin(<timeWindow>, <expression>) Returns the minimum of each series for the specified time window.
mmax(<timeWindow>, <expression>) Returns the maximum of each series for the specified time window.
mpercentile(<timeWindow>, <percentileValue>, <expression>) Returns the percentile of each series for the specified time window. The percentile value must be greater than 0 and less than 100.
mseriescount(<timeWindow>, <expression> [,<metrics> |sources|sourceTags|pointTags|<pointTagKey>]) Returns the aggregated number of series reporting during the specified time window.
mdiff(<timeWindow>, <expression>) Returns the difference between the current value of the expression and the expression's value at the point in time that is timeWindow ago. This function doesn't interpolate the points before doing the subtraction.
mcorr(<timeWindow>, <expression1>, <expression2> [,inner]) Returns the moving correlation between two expressions for a specified time window.
integrate(<timeWindow>, <expression>) Returns the moving integration for the specified expression for the specified time window.
integral(<expression>) Returns the moving sum over time for the given expression over the time window of the current chart window.
flapping(<timeWindow>, <expression>) Returns the number of times a counter has reset within the specified time window.
any(<timeWindow>, <expression>) Returns 1 if the expression has been non-zero at any time during the specified time window. Otherwise, returns 0.
all(<timeWindow>, <expression>) Returns 1 if the expression has been non-zero at every point in time during the time window. Otherwise, returns 0.

Conditional Functions

Function Definition
if(<conditionalExpression>, <thenExpression> [, <elseExpression>]) Returns points from thenExpression only while conditionalExpression > 0. Otherwise, returns points from elseExpression, if it is specified. conditionalExpression must evaluate to a series of numeric values, and typically includes numeric comparisons or transformations of time series. When both thenExpression and elseExpression return data, if() performs series matching against conditionalExpression.

Rounding Functions

Function Definition
round(<expression>) Returns the nearest integer for each data value in the specified time series.
ceil(<expression>) Returns the ceiling for the specified time series, by rounding any data values with decimals up to the next largest integer.
floor(<expression>) Returns the floor for the specified time series, by rounding any data values with decimals down to the next smallest integer.

Missing Data Functions

Missing data functions allow you to interpolate missing data with points based on other points in a series.

Function Definition
default([<timeWindow>, ]<delayTime> <defaultValue>, <expression>) Fills in gaps in expression with defaultValue (whether that's a constant or an expression). The optional timeWindow parameter fills in the specified period of time after each existing point (for example, 5m for 5 minutes). Without this argument, all gaps are filled in. The optional delayTime parameter specifies the amount of time that must pass without a reported value in order for the default value to be applied.
last([<timeWindow>, ] <expression>) Fills in gaps in expression with the last known value of expression. Use the optional timeWindow parameter to fill in a specified time period after each existing point.
next([<timeWindow>, ] <expression>) Fills in gaps in expression with the next known value of expression. Use the optional timeWindow parameter to fill in a specified time period before the first data point after the missing data.
interpolate(<expression>) Fills in gaps in expression with a continuous linear interpolation of points.

Metadata Functions

Metadata functions help users rename a metric, source, or create a synthetic point tag on a metric. There are three ways to formulate the alias:

  • Node index - Extract a string component based on a zeroBasedNodeIndex. Components are identified by the default delimiter “.” or a delimiter specified in delimiterDefinition.
  • Regular expression replacement - Identify the string using a regular expression and replacement string using a replacement pattern.
  • String substitution - Replace a metric or source in an expression with a replacement string.
Function Definition
aliasMetric(<expression>[,metric|source|{tagk,<pointTagKey>},][zeroBasedNodeIndex[ delimiterDefinition] | "<regexSearchPattern>", "<replacementPattern>" | "<replacementString>")] Extracts a string from an existing metric name, source name, or point tag value and renames the metric in the expression with that string. If you don’t specify the metric|source|{tagk, <pointTagKey>} parameter, it defaults to source.
aliasSource(expression[,metric|source|{tagk,<pointTagKey>},] [zeroBasedNodeIndex[ delimiterDefinition] | "regexSearchPattern", "replacementPattern" | "replacementString")] Replaces one or more source names in a ts() expression with a string extracted from the metric name(s), source name(s), or point tag value(s).
taggify(expression,metric|source|{tagk,<pointTagKey>},<newPointTagKey>, [zeroBasedNodeIndex[ delimiterDefinition] | "regexSearchPattern", "replacementPattern" | "replacementString")] Lets you extract a string from an existing metric name, source name, or point tag value and create a synthetic point tag key value for that query.

Examples

  • Node index: aliasMetric(ts(cpu.loadavg.1m, source), 1) the extracted string is selected by node index. The metric cpu.loadavg.1m has 3 components. Setting zeroBasedNodeIndex to 1 extracts the second component (loadavg).
  • Node index with delimiter: cpu-loadavg-1m sets delimiterDefinition to -.
  • String substitution:
    • Original: max(ts(customer.alerts.active), metrics)
    • Renamed: aliasMetric(${original}, "Total Number Of Alerts"), replaces the metric customer.alerts.active with "Total Number Of Alerts".

Exponential and Trigonometric Functions

Function Definition
sqrt(<expression>) Returns the square root of each data value described by the expression.
pow(<baseExpression>, <exponentExpression>[, inner]) Raises the base expression to the power of the exponent expression.
exp(<expression>) Returns the natural exponential for each data value described by the expression.
log(<expression>) Returns the natural log of each data value described by the expression.
log10(<expression>) Returns the log base 10 of each data value described by the expression.
sin(<expression>), cos(<expression>), tan(<expression>),
asin(<expression>), acos(<expression>),
atan(<expression>), atan2(<y-expression>, <x-expression>),
sinh(<expression>), cosh(<expression>), tanh(<expression>)
Performs the specified trigonometric function on each data value described by the expression.
See Trigonometric Functions for details.
toDegrees(<numRadians>),
toRadians(<numDegrees>)
Converts radians to degrees, and vice versa.
See Trigonometric Utility Functions for details.

Predictive and Histogram Functions

Function Definition
anomalous(<testWindow>, [<confidenceFactor>,] [<historyWindow>, [<alignWindow>,]] <expression>) Returns the percentage of anomalous points in each time series described by the expression. Anomalous points have values that fall outside an expected range, as determined by confidenceFactor.
hw(<historyLength>, <seasonLength>, <samplingRate>, <expression> [<alpha>, <beta>, <gamma>]) Returns a smoothed version of each time series described by the expression, and forecasts its future points using the Holt-Winters triple exponential smoothing algorithm for seasonal data.
forecast(<expression>) Forecasts future data values for each time series described by the expression. The chart's bucket size affects how the amount of data used in the predictions. A larger bucket size produces faster, but less detailed, results.
hs(<histogram_metric>) Returns a histogram metric, which you can query with certain other query language functions. See Wavefront Histograms for details.

Event Functions

You can use event functions to display events in charts, for example, to inform other users about reasons for an event. Other event functions help you filter events, so that only events you’re interested in are displayed. Some events() functions return synthetic events. These events are displayed by the query, but not stored in Wavefront.

See Basic events() Queries. See Advanced events() Queries for details about the different kinds of events() functions.

Function Definition
events(<filters>) Returns the set of events that match <filters>. See Event Filters for a list of available filters. The returned set of events can be passed as an argument to functions that accept events. When passed to a chart query, displays the events. The chart must contain at least 1 ts() expression for events to display.
count(<events>) Converts <events> into a single time series, where every data point represents the number of events that started at that time minus the number of events that ended at that time. Instantaneous events are represented as a single "0" value: 1 started minus 1 ended (instantaneous events are defined as events having their end time equal to their start time).
ongoing(<events>) Returns a continuous time series representing the number of ongoing events at any given moment within the query time window. See When Does an Event Query Return Events? for some background information.
closed(<events>) Returns events that have ended and instantaneous events that occurred in the past.
until(<events>) Returns synthetic events that start at the beginning of epoch time (Jan 1, 1970) and end where the input events start.
after(<events>) Returns synthetic ongoing events that start the moment the input events end.
since(<events>) Returns synthetic events with the same start time and no end time (converts all input events to ongoing events).
since(timeWindow) Creates a single synthetic event that started timeWindow ago and ended "now". Specify timeWindow in seconds, minutes, hours, days or weeks (e.g., 1s, 1m, 1h, 1d, 1w. Default is minutes.
timespan(startTimestamp, endTimestamp) Creates a single synthetic event with the specified start and end timestamps. A timestamp can be expressed in epoch seconds or using a time expression such as "5 minutes ago". Example: timespan("5 minutes ago", "2 minutes ago").
first(<events>) Returns a single event with the earliest start time.
last(<events>) Returns a single event with the latest start time.
firstEnding(<events>) Returns a single event with the earliest end time.
lastEnding(<events>) Returns a single event with the latest end time.

The following example shows a query you could use to filter the events in your charts.

events(type=alert, name="disk space is low", alertTag=MicroService.App1.*)

See Event Filters for details on filters.

Miscellaneous Functions

Function Definition
collect(<expression1>, <expression2> [, <expression3>, ...]) Returns a single ts() expression that is the combination of two or more ts() expressions.
exists(<expression>) Returns 1 if any time series described by the expression exists, and returns 0 otherwise. A time series exists if it has reported a data value in the last 4 weeks.
abs(<expression>) Returns the absolute value of the time series described by the expression.
random() Returns random values between 0.0 and 1.0. Repeated calls display different random values.
normalize(<expression>) Normalizes each time series described by the expression, so that its values are scaled between 0 and 1.0.
haversine(<lat1>, <long1>, <lat2>,<long2>) Returns the distance between a pair of coordinates.
bestEffort(<expression>) Wrapping any query expression in bestEffort() tells Wavefront to use conservative targets for scheduling workloads. That means we limit thread use and asynchronous operations.