Aggregation Functions

PantherFlow aggregation functions

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Overview

View additional examples using aggregation functions on Summarize Operator.

`agg.avg()`

agg.avg(column: any) -> float

Returns the average of the values in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.avg(receivedBytes) by ip_address

`agg.count()`

agg.count([column: any]) -> int

Returns the number of values in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.count() by ip_address

`agg.count_distinct()`

agg.count_distinct(column: any) -> int

Returns the number of unique values in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.count_distinct(targetStatusCode) by ip_address

`agg.make_set()`

agg.make_set(column: any) -> any

Returns a set of unique values from the column.

Example:

panther_logs.public.aws_alb
| summarize agg.make_set(targetStatusCode) by ip_address

`agg.max()`

agg.max(column: any) -> float

Returns the maximum value in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.max(receivedBytes) by ip_address

`agg.min()`

agg.min(column: any) -> float

Returns the minimum value in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.min(receivedBytes) by ip_address

`agg.percentile_cont()`

agg.percentile_cont(column: [any], percentile: number) -> float

For a given percentile value between 0.0 and 1.0, return the value of the input column based on a continuous distribution of rows. If no input row lies exactly at the desired percentile, the result is calculated using linear interpolation of the two nearest input values. If a group contains only one value, then that value will be returned for any specified percentile (e.g. both percentile 0.0 and percentile 1.0 will return that one row).

Example:

datatable [
{"bytes": 0, "group": "a"},
{"bytes": 500, "group": "a"},
{"bytes": 1000, "group": "a"},
{"bytes": 0, "group": "b"},
{"bytes": 5, "group": "b"},
{"bytes": 10, "group": "b"}
]
| summarize p50=agg.percentile_cont(bytes, 0.50),
p75=agg.percentile_cont(bytes, 0.75),
p99=agg.percentile_cont(bytes, 0.99) by group

`agg.stddev()`

agg.stddev(column: [number]) -> float

Returns the sample standard deviation (square root of sample variance) of non-null values.

Example:

panther_logs.public.aws_alb
| summarize agg.stddev(receivedBytes) by ip_address

`agg.sum()`

agg.sum(column: [any]) -> float

Returns the sum of the values in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.sum(receivedBytes) by ip_address

`agg.take_any()`

agg.take_any(column: [any]) -> any

Returns any value from the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.take_any(targetGroupArn) by ip_address

PreviousPantherFlow Functions NextDate/time Functions

Last updated 6 months ago

Was this helpful?