Overview
Aggregate findings with summarize.
| summarize [[<dest>=]aggregation[, ...]] by [<dest>=]<expression>[, ...]
Many aggregations are supported, including:
See a full list of available aggregations on PantherFlow Functions.
Examples
Count
The following query displays the count of all events in the last day stored in field num_connections:
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize num_connections=agg.count()
Group count by single field
The following query counts the number of connections for each clientIp and orders results with the largest number of connections first:
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize num_connections=agg.count() by clientIp
| sort num_connections
Group count by multiple fields
The following query displays num_connections grouped by both the clientIp and clientPort fields:
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize num_connections=agg.count() by clientIp, clientPort
| sort num_connections
Group count by arbitrary expressions
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize num_connections=agg.count() by isOK = elbStatusCode == 200
| sort num_connections
Count distinct
The query below stores the distinct number of clientIps in num_distinct_clients:
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize num_distinct_clients=agg.count_distinct(clientIp)
Refer to an aggregation later
You can refer to an aggregation in a subsequent query expression:
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize num_connections=agg.count() by clientIp, clientPort
| where num_connections >= 5
Summarize by field (without aggregation)
The query below displays each unique userAgent:
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize by userAgent
Last updated
