Skip to content

Count

AggregationRate Limiting

Count how many times a specific event happens for a given user or device within a rolling time window. Every time the event fires, the counter goes up by one. When the window expires, it resets.

When to Use

  • Detecting abnormal activity spikes (e.g., 200 song plays in 10 minutes)
  • Rate limiting (e.g., no more than 3 login attempts per 10 minutes)
  • Building thresholds for alerting (e.g., flag accounts with 50+ events/hour)
  • Bot detection — bots repeat actions at a rate humans can't match

Configuration

json
{
  "name": "login_attempts_10m",
  "operation": "count",
  "group_by": "device_id",
  "window_duration_seconds": 600,
  "filters": { "field": "event_name", "operator": "equals", "value": "login" }
}

Response

json
{
  "behaviors": {
    "login_attempts_10m": {
      "count": 3,
      "timestamp": "2025-06-12T16:52:04.940Z",
      "remaining_window_seconds": 586
    }
  }
}

Use Case: Stream Farming Detection

A music platform wants to detect bot accounts farming streams by playing songs at an inhuman rate. A real user pauses songs every few minutes; a bot triggers hundreds of PauseSong events per hour.

json
{
  "name": "song_plays_1h",
  "operation": "count",
  "group_by": "identity",
  "window_duration_seconds": 3600,
  "filters": {
    "field": "event_name",
    "operator": "equals",
    "value": "PauseSong"
  }
}

Reading the output

A count above ~60 in an hour (one play per minute sustained) is unusual for a human listener. Combined with time_between data showing sub-second gaps between plays, high count is a strong bot signal.

json
{
  "behaviors": {
    "song_plays_1h": {
      "count": 347,
      "timestamp": "2025-06-12T16:52:04.940Z",
      "remaining_window_seconds": 1843
    }
  }
}