Aggregation Functions

agg.avg()

agg.avg(column: any) -> float

Returns the average of the values in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.avg(receivedBytes) by ip_address

agg.count()

agg.count([column: any]) -> int

Returns the number of values in the aggregation.

Example:

panther_logs.public.aws_alb
| summarize agg.count() by ip_address

agg.count_distinct()

agg.count_distinct(column: any) -> int

Returns the number of unique values in the aggregation.

Example:

agg.make_set()

agg.make_set(column: any) -> any

Returns a set of unique values from the column.

Example:

agg.max()

agg.max(column: any) -> float

Returns the maximum value in the aggregation.

Example:

agg.min()

agg.min(column: any) -> float

Returns the minimum value in the aggregation.

Example:

agg.percentile_cont()

agg.percentile_cont(column: [any], percentile: number) -> float

For a given percentile value between 0.0 and 1.0, return the value of the input column based on a continuous distribution of rows. If no input row lies exactly at the desired percentile, the result is calculated using linear interpolation of the two nearest input values. If a group contains only one value, then that value will be returned for any specified percentile (e.g. both percentile 0.0 and percentile 1.0 will return that one row).

Example:

agg.stddev()

agg.stddev(column: [number]) -> float

Returns the sample standard deviation (square root of sample variance) of non-null values.

Example:

agg.sum()

agg.sum(column: [any]) -> float

Returns the sum of the values in the aggregation.

Example:

agg.take_any()

agg.take_any(column: [any]) -> any

Returns any value from the aggregation.

Example: