Appearance
Count
AggregationRate Limiting
Count how many times a specific event happens for a given user or device within a rolling time window. Every time the event fires, the counter goes up by one. When the window expires, it resets.
When to Use
- Detecting abnormal activity spikes (e.g., 200 song plays in 10 minutes)
- Rate limiting (e.g., no more than 3 login attempts per 10 minutes)
- Building thresholds for alerting (e.g., flag accounts with 50+ events/hour)
- Bot detection — bots repeat actions at a rate humans can't match
Configuration
json
{
"name": "login_attempts_10m",
"operation": "count",
"group_by": "device_id",
"window_duration_seconds": 600,
"filters": { "field": "event_name", "operator": "equals", "value": "login" }
}Response
json
{
"behaviors": {
"login_attempts_10m": {
"count": 3,
"timestamp": "2025-06-12T16:52:04.940Z",
"remaining_window_seconds": 586
}
}
}Use Case: Stream Farming Detection
A music platform wants to detect bot accounts farming streams by playing songs at an inhuman rate. A real user pauses songs every few minutes; a bot triggers hundreds of PauseSong events per hour.
json
{
"name": "song_plays_1h",
"operation": "count",
"group_by": "identity",
"window_duration_seconds": 3600,
"filters": {
"field": "event_name",
"operator": "equals",
"value": "PauseSong"
}
}Reading the output
A count above ~60 in an hour (one play per minute sustained) is unusual for a human listener. Combined with time_between data showing sub-second gaps between plays, high count is a strong bot signal.
json
{
"behaviors": {
"song_plays_1h": {
"count": 347,
"timestamp": "2025-06-12T16:52:04.940Z",
"remaining_window_seconds": 1843
}
}
}