search
Knowledge BaseRelease NotesRequest Demo

Summarize Operator

hashtag
Overview

Aggregate findings with summarize.

| summarize [[<dest>=]aggregation[, ...]] by [<dest>=]<expression>[, ...]

Many aggregations are supported, including:

See a full list of available aggregations on Aggregation Functions.

hashtag
Examples

hashtag
Count

The following query displays the count of all events in the last day stored in field num_connections:

num_connections

993

hashtag
Group count by single field

The following query counts the number of connections for each clientIp and orders results with the largest number of connections first:

clientIp
num_connections

192.167.7.55

979

10.145.4.26

130

10.99.231.15

31

...

hashtag
Group count by multiple fields

The following query displays num_connections grouped by both the clientIp and clientPort fields:

clientIp
clientPort
num_connections

192.167.7.55

50160

7

10.145.4.26

63335

5

10.145.4.26

60845

4

192.167.7.55

52138

4

10.99.231.15

58704

3

hashtag
Group count by arbitrary expressions

isOK
num_connections

true

1114

false

324

hashtag
Count distinct

The query below stores the distinct number of clientIps in num_distinct_clients:

num_distinct_clients

121

hashtag
Refer to an aggregation later

You can refer to an aggregation in a subsequent query expression:

clientIp
clientPort
num_connections

192.167.7.55

50160

7

10.145.4.26

63335

5

...

hashtag
Summarize by field (without aggregation)

The query below displays each unique userAgent:

userAgent

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36

curl/8.1.2

Mozilla/5.0 (Linux; Android 7.0; LG-H918 Build/NRD90M) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36

PreviousSearch OperatorNextUnion Operator

Last updated

Was this helpful?