# Aggregation Functions

{% hint style="info" %}
PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

## Overview

View additional examples using aggregation functions on [Summarize Operator](https://docs.panther.com/pantherflow/operators/summarize).

## `agg.avg()`

`agg.avg(column: any) -> float`

Returns the average of the values in the aggregation.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.avg(receivedBytes) by ip_address
```

## `agg.count()`

`agg.count([column: any]) -> int`

Returns the number of values in the aggregation.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.count() by ip_address
```

## `agg.count_distinct()`

`agg.count_distinct(column: any) -> int`

Returns the number of unique values in the aggregation.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.count_distinct(targetStatusCode) by ip_address
```

## `agg.make_set()`

`agg.make_set(column: any) -> any`

Returns a set of unique values from the column.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.make_set(targetStatusCode) by ip_address
```

## `agg.max()`

`agg.max(column: any) -> float`

Returns the maximum value in the aggregation.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.max(receivedBytes) by ip_address
```

## `agg.min()`

`agg.min(column: any) -> float`

Returns the minimum value in the aggregation.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.min(receivedBytes) by ip_address
```

## `agg.percentile_cont()`

`agg.percentile_cont(column: [any], percentile: number) -> float`

For a given `percentile` value between 0.0 and 1.0, return the value of the input `column` based on a continuous distribution of rows. If no input row lies exactly at the desired percentile, the result is calculated using linear interpolation of the two nearest input values. If a group contains only one value, then that value will be returned for any specified percentile (e.g. both percentile 0.0 and percentile 1.0 will return that one row).

**Example:**

```kusto
datatable [
{"bytes": 0, "group": "a"},
{"bytes": 500, "group": "a"},
{"bytes": 1000, "group": "a"},
{"bytes": 0, "group": "b"},
{"bytes": 5, "group": "b"},
{"bytes": 10, "group": "b"}
]
| summarize p50=agg.percentile_cont(bytes, 0.50),
p75=agg.percentile_cont(bytes, 0.75),
p99=agg.percentile_cont(bytes, 0.99) by group
```

## `agg.stddev()`

`agg.stddev(column: [number]) -> float`

Returns the sample standard deviation (square root of sample variance) of non-null values.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.stddev(receivedBytes) by ip_address
```

## `agg.sum()`

`agg.sum(column: [any]) -> float`

Returns the sum of the values in the aggregation.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.sum(receivedBytes) by ip_address
```

## `agg.take_any()`

`agg.take_any(column: [any]) -> any`

Returns any value from the aggregation.

**Example:**

```kusto
panther_logs.public.aws_alb
| summarize agg.take_any(targetGroupArn) by ip_address
```