Fix rate docs (#118)

tothmano · web-flow · commit 0de96f5cba35 · 2024-10-16T14:16:51.000+01:00
diff --git a/apl/aggregation-function/rate.mdx b/apl/aggregation-function/rate.mdx
@@ -17,13 +17,13 @@ If you come from other query languages, this section explains how to adjust your
 In Splunk SPL, the equivalent of the `rate` function can be achieved using the `timechart` command with a `per_second` option or by calculating the difference between successive values over time. In APL, the `rate` function simplifies this process by directly calculating the rate over a specified time interval.
 
 <CodeGroup>
-```splunk
-| timechart per_second count by status
+```splunk Splunk example
+| timechart per_second count by resp_body_size_bytes
 ```
 
-```kusto
+```kusto APL equivalent
 ['sample-http-logs']
-| summarize rate=count() by status, bin(_time, 1s)
+| summarize rate(resp_body_size_bytes) by bin(_time, 1s)
 ```
 </CodeGroup>
 
@@ -33,15 +33,14 @@ In Splunk SPL, the equivalent of the `rate` function can be achieved using the `
 In ANSI SQL, calculating rates typically involves using window functions like `LAG` or `LEAD` to calculate the difference between successive rows in a time series. In APL, the `rate` function abstracts this complexity by allowing you to directly compute the rate over time without needing window functions.
 
 <CodeGroup>
-```sql
-SELECT status, COUNT(*) / TIMESTAMPDIFF(SECOND, MIN(_time), MAX(_time)) AS rate
-FROM http_logs
-GROUP BY status;
+```sql SQL example
+SELECT resp_body_size_bytes, COUNT(*) / TIMESTAMPDIFF(SECOND, MIN(_time), MAX(_time)) AS rate
+FROM http_logs;
 ```
 
-```kusto
+```kusto APL equivalent
 ['sample-http-logs']
-| summarize rate=count() by status, bin(_time, 1s)
+| summarize rate(resp_body_size_bytes) by bin(_time, 1s)
 ```
 </CodeGroup>
 
@@ -53,88 +52,107 @@ GROUP BY status;
 ### Syntax
 
 ```kusto
-rate(field, timeInterval)
+rate(field)
 ```
 
 ### Parameters
 
-- `field`: The numeric field that you want to calculate the rate for.
-- `timeInterval`: The time interval (e.g., 1s, 1m, 1h) over which to calculate the rate.
+- `field`: The numeric field for which you want to calculate the rate.
 
 ### Returns
 
-Returns the rate of change or occurrence of the specified `field` over the specified `timeInterval`.
+Returns the rate of change or occurrence of the specified `field` over the time interval specified in the query.
+
+Specify the time interval in the query in the following way:
+
+- `| summarize rate(field)` calculates the rate value of the field over the entire query window.
+- `| summarize rate(field) by bin(_time, 1h)` calculates the rate value of the field over a one-hour time window.
+- `| summarize rate(field) by bin_auto(_time)` calculates the rate value of the field bucketed by an automatic time window computed by `bin_auto()`.
+
+<Tip>
+
+Use two `summarize` statements to visualize the average rate over one minute per hour. For example:
+
+```kusto
+['sample-http-logs']
+| summarize respBodyRate = rate(resp_body_size_bytes) by bin(_time, 1m)
+| summarize avg(respBodyRate) by bin(_time, 1h)
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20summarize%20respBodyRate%20%3D%20rate(resp_body_size_bytes)%20by%20bin(_time%2C%201m)%20%7C%20summarize%20avg(respBodyRate)%20by%20bin(_time%2C%201h)%22%2C%20%22queryOptions%22%3A%7B%22quickRange%22%3A%226h%22%7D%7D)
+
+</Tip>
 
 ## Use case examples
 
 <Tabs>
 <Tab title="Log analysis">
 
-In this example, the `rate` aggregation calculates the rate of HTTP requests per second grouped by status.
+In this example, the `rate` aggregation calculates the rate of HTTP response sizes per second.
 
 **Query**
 
 ```kusto
 ['sample-http-logs']
-| summarize rate=count() by status, bin(_time, 1s)
+| summarize rate(resp_body_size_bytes) by bin(_time, 1s)
 ```
 
-[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%20%7C%20summarize%20rate%3Dcount%28%29%20by%20status%2C%20bin%28_time%2C%201s%29%22%7D)
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20summarize%20rate(resp_body_size_bytes)%20by%20bin(_time%2C%201s)%22%7D)
 
 **Output**
 
-| status | rate  | _time              |
-|--------|-------|--------------------|
-| 200    | 15    | 2024-01-01 12:00:00|
-| 404    | 3     | 2024-01-01 12:00:00|
+| rate  | _time              |
+|-------|--------------------|
+| 854 kB    | 2024-01-01 12:00:00|
+| 635 kB    | 2024-01-01 12:00:01|
 
-This query counts the number of requests per status code and calculates the rate of requests per second.
+This query calculates the rate of HTTP response sizes per second.
 
 </Tab>
 <Tab title="OpenTelemetry traces">
 
-This example calculates the rate of traces received per second for different services.
+This example calculates the rate of span duration per second.
 
 **Query**
 
 ```kusto
 ['otel-demo-traces']
-| summarize rate=count() by ['service.name'], bin(_time, 1s)
+| summarize rate(toint(duration)) by bin(_time, 1s)
 ```
 
-[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B%27otel-demo-traces%27%5D%20%7C%20summarize%20rate%3Dcount%28%29%20by%20%5B%27service.name%27%5D%2C%20bin%28_time%2C%201s%29%22%7D)
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B'otel-demo-traces'%5D%20%7C%20summarize%20rate(toint(duration))%20by%20bin(_time%2C%201s)%22%7D)
 
 **Output**
 
-| service.name         | rate  | _time              |
-|----------------------|-------|--------------------|
-| frontend             | 10    | 2024-01-01 12:00:00|
-| checkoutservice      | 5     | 2024-01-01 12:00:00|
+| rate  | _time              |
+|-------|--------------------|
+| 26,393,768    | 2024-01-01 12:00:00|
+| 19,303,456     | 2024-01-01 12:00:01|
 
-This query calculates the rate of traces per second for each service.
+This query calculates the rate of span duration per second.
 
 </Tab>
 <Tab title="Security logs">
 
-In this example, the `rate` aggregation calculates the rate of security events by HTTP status.
+In this example, the `rate` aggregation calculates the rate of HTTP request duration per second which can be useful to detect an increate in malicious requests.
 
 **Query**
 
 ```kusto
 ['sample-http-logs']
-| summarize rate=count() by status, bin(_time, 1s)
+| summarize rate(req_duration_ms) by bin(_time, 1s)
 ```
 
-[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B%27sample-http-logs%27%5D%20%7C%20summarize%20rate%3Dcount%28%29%20by%20status%2C%20bin%28_time%2C%201s%29%22%7D)
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/explorer?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20summarize%20rate(req_duration_ms)%20by%20bin(_time%2C%201s)%22%7D)
 
 **Output**
 
-| status | rate  | _time              |
-|--------|-------|--------------------|
-| 401    | 8     | 2024-01-01 12:00:00|
-| 403    | 2     | 2024-01-01 12:00:00|
+| rate  | _time              |
+|-------|--------------------|
+| 240.668 ms     | 2024-01-01 12:00:00|
+| 264.17 ms      | 2024-01-01 12:00:01|
 
-This query calculates the rate of different security-related status codes over time.
+This query calculates the rate of HTTP request duration per second.
 
 </Tab>
 </Tabs>
@@ -145,4 +163,4 @@ This query calculates the rate of different security-related status codes over t
 - [**sum**](/apl/aggregation-function/sum): Returns the sum of values in a field. Use `sum` when you want to aggregate the total value, not its rate of change.
 - [**avg**](/apl/aggregation-function/avg): Returns the average value of a field. Use `avg` when you want to know the mean value rather than how it changes over time.
 - [**max**](/apl/aggregation-function/max): Returns the maximum value of a field. Use `max` when you need to find the peak value instead of how often or quickly something occurs.
-- [**min**](/apl/aggregation-function/min): Returns the minimum value of a field. Use `min` when you're looking for the lowest value rather than a rate.
+- [**min**](/apl/aggregation-function/min): Returns the minimum value of a field. Use `min` when you’re looking for the lowest value rather than a rate.
