Aggregation functions

Statistical functions

All of these functions are used in the context of Summarize operator

Function NameDescription
avg()Returns an average value across the group.
countif()Returns a count of rows for which Predicate evaluates to true
count()Returns a count of the group without/with a predicate.
dcount()Returns an estimate for the number of distinct values that are taken by a scalar expression in the summary group.
dcountif()Returns an estimate of the number of distinct values of Expr of rows for which Predicate evaluates to true.
max()Returns the maximum value across the group.
min()Returns the minimum value across the group.
sum()Calculates the sum of Expr across the group.
histogram()Returns a timeseries heatmap chart across the group.
topk()calculates the top values of Expr across the group in a dataset
percentile()calculates the requested percentiles of the group and produces a timeseries chart.
variance()Calculates the variance of Expr across the group.
stdev()Calculates the standard deviation of Expr across the group.

avg()

Calculates the average (arithmetic mean) of Expr across the group.

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

The average value of Expr across the group.

Example

avg (Expr)
['sample-http-logs']
| summarize avg( req_duration_ms)

countif()

Returns a count of rows for which Predicate evaluates to true.

Arguments

Predicate: Expression that will be used for aggregation calculation. Predicate can be any scalar expression with return type of bool (evaluating to true/false).

Returns

Returns a count of rows for which Predicate evaluates to true.

Example

countif (Predicate)

count()

Returns a count of the records per summarization group (or in total, if summarization is done without grouping).

Returns

Returns a count of the records per summarization group.

Example

count ()
['sample-http-logs']
| summarize count()

dcount()

Returns an estimate for the number of distinct values that are taken by a scalar expression in the summary group.

Arguments

  • Expr: A scalar expression whose distinct values are to be counted.

Returns

Returns an estimate of the number of distinct values of Expr in the group.

Example

dcount (Expr)
['sample-http-logs']
| summarize dcount( resp_body_size_bytes )

dcountif()

Returns an estimate of the number of distinct values of Expr of rows for which Predicate evaluates to true.

Arguments

  • Expr: Expression that will be used for aggregation calculation.

  • Predicate: Expression that will be used to filter rows.

Returns

Returns an estimate of the number of distinct values of Expr of rows for which Predicate evaluates to true in the group.

Example

dcountif (Expr, Predicate)

max()

Returns the maximum value across the group.

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

The maximum value of Expr across the group.

Example

max (Expr)
['sample-http-logs']
| summarize max( resp_body_size_bytes)
['sample-http-logs']
| summarize max( req_duration_ms) by bin_auto(_time)

min()

Returns the minimum value across the group.

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

The minimum value of Expr across the group.

Example

min (Expr)
['sample-http-logs']
| summarize min( resp_body_size_bytes)
['sample-http-logs']
| summarize min( req_duration_ms) by bin_auto(_time)

sum()

Calculates the sum of Expr across the group.

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

The sum value of Expr across the group.

Example

sum (Expr)
['sample-http-logs']
| summarize sum( resp_body_size_bytes)
['sample-http-logs']
| summarize sum(resp_header_size_bytes) by bin_auto(_time)

histogram()

Returns a timeseries heatmap chart across the group

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

Returns a timeseries heatmap chart across the group

Example

histogram(Expr)
['sample-http-logs']
| summarize histogram(resp_header_size_bytes, 10) by bin_auto(_time)
['sample-http-logs']
| summarize histogram(resp_header_size_bytes, 10) by bin_auto(_time), ['geo.country']

topk()

calculates the top values of Expr across the group in a dataset

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

  • A seperate result for each group plotted on a timeseries chart.

Example

topk(Expr)
['sample-http-logs']
| summarize topk(method, 4) by bin_auto(_time)
['sample-http-logs']
| summarize topk(method, 10) by bin_auto(_time), ['geo.city'], is_tls

percentile(), percentiles_array()

Calculates the requested percentile of the group and produces a timeseries chart.

Arguments

  • Expr: Expression that will be used for aggregation calculation.
  • Percentile: A double constant that specifies the percentile.

Returns

A seperate result for each group plotted on a horizonal bar chart, allowing for visual comparison across the groups.

Examples

percentile(Expr, percentile)
percentiles_array (Expr, Percentile1 [,Percentile2])
['sample-http-logs']
| summarize percentile(resp_header_size_bytes, 10) by bin_auto(_time)

variance()

Calculates the variance of Expr across the group.

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

The variance value of Expr across the group.

Eample

variance (Expr)
['sample-http-logs']
| summarize variance(resp_header_size_bytes) by bin_auto(_time)

stdev()

Calculates the standard deviation of Expr across the group.

Arguments

  • Expr: Expression that will be used for aggregation calculation.

Returns

The standard deviation value of Expr across the group.

Example

stdev (Expr)
['sample-http-logs']
| summarize stdev(resp_header_size_bytes) by bin_auto(_time)
['sample-http-logs']
| summarize stdev( req_duration_ms) by bin_auto(_time), content_type

Was this page helpful?