ES|QL CATEGORIZE function

×

field

Expression to categorize

options

(Optional) Categorize additional options as function named parameters. }

Groups text messages into categories of similarly formatted text values.

CATEGORIZE has the following limitations:

• can’t be used within other expressions
• can’t be used more than once in the groupings
• can’t be used or referenced within aggregate functions and it has to be the first grouping

analyzer

(keyword) Analyzer used to convert the field into tokens for text categorization.

output_format

(keyword) The output format of the categories. Defaults to regex.

similarity_threshold

(integer) The minimum percentage of token weight that must match for text to be added to the category bucket. Must be between 1 and 100. The larger the value the narrower the categories. Larger values will increase memory usage and create narrower categories. Defaults to 70.

This example categorizes server logs messages into categories and aggregates their counts.

FROM sample_data
| STATS count=COUNT() BY category=CATEGORIZE(message)
		

Group log message categories by time interval by combining CATEGORIZE with BUCKET in the same BY clause.

FROM sample_data
| STATS count = COUNT(*) BY category = CATEGORIZE(message), time_bucket = BUCKET(@timestamp, 1 HOUR)
| SORT time_bucket DESC, count DESC, category
		

Surface one representative raw message per category by combining CATEGORIZE with SAMPLE.

FROM sample_data
| STATS sample_message = SAMPLE(message, 1) BY category = CATEGORIZE(message)
| SORT category