# Aggregation Functions {% hint style="info" %} PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} ## Overview View additional examples using aggregation functions on [Summarize Operator](/pantherflow/operators/summarize.md). ## `agg.avg()` `agg.avg(column: any) -> float` Returns the average of the values in the aggregation. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.avg(receivedBytes) by ip_address ``` ## `agg.count()` `agg.count([column: any]) -> int` Returns the number of values in the aggregation. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.count() by ip_address ``` ## `agg.count_distinct()` `agg.count_distinct(column: any) -> int` Returns the number of unique values in the aggregation. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.count_distinct(targetStatusCode) by ip_address ``` ## `agg.make_set()` `agg.make_set(column: any) -> any` Returns a set of unique values from the column. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.make_set(targetStatusCode) by ip_address ``` ## `agg.max()` `agg.max(column: any) -> float` Returns the maximum value in the aggregation. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.max(receivedBytes) by ip_address ``` ## `agg.min()` `agg.min(column: any) -> float` Returns the minimum value in the aggregation. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.min(receivedBytes) by ip_address ``` ## `agg.percentile_cont()` `agg.percentile_cont(column: [any], percentile: number) -> float` For a given `percentile` value between 0.0 and 1.0, return the value of the input `column` based on a continuous distribution of rows. If no input row lies exactly at the desired percentile, the result is calculated using linear interpolation of the two nearest input values. If a group contains only one value, then that value will be returned for any specified percentile (e.g. both percentile 0.0 and percentile 1.0 will return that one row). **Example:** ```kusto datatable [ {"bytes": 0, "group": "a"}, {"bytes": 500, "group": "a"}, {"bytes": 1000, "group": "a"}, {"bytes": 0, "group": "b"}, {"bytes": 5, "group": "b"}, {"bytes": 10, "group": "b"} ] | summarize p50=agg.percentile_cont(bytes, 0.50), p75=agg.percentile_cont(bytes, 0.75), p99=agg.percentile_cont(bytes, 0.99) by group ``` ## `agg.stddev()` `agg.stddev(column: [number]) -> float` Returns the sample standard deviation (square root of sample variance) of non-null values. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.stddev(receivedBytes) by ip_address ``` ## `agg.sum()` `agg.sum(column: [any]) -> float` Returns the sum of the values in the aggregation. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.sum(receivedBytes) by ip_address ``` ## `agg.take_any()` `agg.take_any(column: [any]) -> any` Returns any value from the aggregation. **Example:** ```kusto panther_logs.public.aws_alb | summarize agg.take_any(targetGroupArn) by ip_address ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/pantherflow/functions/aggregation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.