# Summarize Operator ## Overview Aggregate findings with `summarize`. ```kusto | summarize [[=]aggregation[, ...]] by [=][, ...] ``` Many aggregations are supported, including: * [`agg.avg()`](https://docs.panther.com/functions/aggregation#agg.avg) * [`agg.count()`](https://docs.panther.com/functions/aggregation#agg.count) * [`agg.count_distinct()`](https://docs.panther.com/functions/aggregation#agg.count_distinct) * [`agg.make_set()`](https://docs.panther.com/functions/aggregation#agg.make_set) * [`agg.max()`](https://docs.panther.com/functions/aggregation#agg.max) * [`agg.min()`](https://docs.panther.com/functions/aggregation#agg.min) * [`agg.percentile_cont()`](https://docs.panther.com/functions/aggregation#agg.percentile_cont) * [`agg.stddev()`](https://docs.panther.com/functions/aggregation#agg.stddev) * [`agg.sum()`](https://docs.panther.com/functions/aggregation#agg.sum) * [`agg.take_any()`](https://docs.panther.com/functions/aggregation#agg.take_any) See a full list of available aggregations on [Aggregation Functions](https://docs.panther.com/pantherflow/functions/aggregation). ## Examples ### Count The following query displays the count of all events in the last day stored in field `num_connections`: ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | summarize num_connections=agg.count() ``` | num\_connections | | ---------------- | | 993 | ### Group count by single field The following query counts the number of connections for each `clientIp` and orders results with the largest number of connections first: ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | summarize num_connections=agg.count() by clientIp | sort num_connections ``` | clientIp | num\_connections | | ------------ | ---------------- | | 192.167.7.55 | 979 | | 10.145.4.26 | 130 | | 10.99.231.15 | 31 | | ... | | ### Group count by multiple fields The following query displays `num_connections` grouped by both the `clientIp` and `clientPort` fields: ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | summarize num_connections=agg.count() by clientIp, clientPort | sort num_connections ``` | clientIp | clientPort | num\_connections | | ------------ | ---------- | ---------------- | | 192.167.7.55 | 50160 | 7 | | 10.145.4.26 | 63335 | 5 | | 10.145.4.26 | 60845 | 4 | | 192.167.7.55 | 52138 | 4 | | 10.99.231.15 | 58704 | 3 | | … | | | ### Group count by arbitrary expressions ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | summarize num_connections=agg.count() by isOK = elbStatusCode == 200 | sort num_connections ``` | isOK | num\_connections | | ----- | ---------------- | | true | 1114 | | false | 324 | ### Count distinct The query below stores the distinct number of `clientIp`s in `num_distinct_clients`: ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | summarize num_distinct_clients=agg.count_distinct(clientIp) ``` | num\_distinct\_clients | | ---------------------- | | 121 | ### Refer to an aggregation later You can refer to an aggregation in a subsequent query expression: ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | summarize num_connections=agg.count() by clientIp, clientPort | where num_connections >= 5 ``` | clientIp | clientPort | num\_connections | | ------------ | ---------- | ---------------- | | 192.167.7.55 | 50160 | 7 | | 10.145.4.26 | 63335 | 5 | | ... | | | ### Summarize by field (without aggregation) The query below displays each unique `userAgent`: ```kusto panther_logs.public.aws_alb | where p_event_time > time.ago(1d) | summarize by userAgent ``` | userAgent | | -------------------------------------------------------------------------------------------------------------------------------------- | | Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 | | curl/8.1.2 | | Mozilla/5.0 (Linux; Android 7.0; LG-H918 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36 | | … |