Summarize Operator
Overview
Aggregate findings with summarize.
Many aggregations are supported, including:
See a full list of available aggregations on PantherFlow Functions.
Examples
Count
The following query displays the count of all events in the last day stored in field num_connections:
| num_connections |
|---|
993 |
Group count by single field
The following query counts the number of connections for each clientIp and orders results with the largest number of connections first:
| clientIp | num_connections |
|---|---|
192.167.7.55 | 979 |
10.145.4.26 | 130 |
10.99.231.15 | 31 |
... |
Group count by multiple fields
The following query displays num_connections grouped by both the clientIp and clientPort fields:
| clientIp | clientPort | num_connections |
|---|---|---|
192.167.7.55 | 50160 | 7 |
10.145.4.26 | 63335 | 5 |
10.145.4.26 | 60845 | 4 |
192.167.7.55 | 52138 | 4 |
10.99.231.15 | 58704 | 3 |
… |
Group count by arbitrary expressions
| isOK | num_connections |
|---|---|
true | 1114 |
false | 324 |
Count distinct
The query below stores the distinct number of clientIps in num_distinct_clients:
| num_distinct_clients |
|---|
121 |
Refer to an aggregation later
You can refer to an aggregation in a subsequent query expression:
| clientIp | clientPort | num_connections |
|---|---|---|
192.167.7.55 | 50160 | 7 |
10.145.4.26 | 63335 | 5 |
... |
Summarize by field (without aggregation)
The query below displays each unique userAgent:
| userAgent |
|---|
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36 |
curl/8.1.2 |
Mozilla/5.0 (Linux; Android 7.0; LG-H918 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36 |
… |
Last updated