Aggregate Functions for chart/stats
The chart/stats operators offer a set of Aggregate functions that can be used over a group of events. The previous tables display the number of events that are a match in some specific grouping. This counting operation is named as the count function for chart and stats operator.
All of the examples below use data from a Simplified Events Table, described in the chart/stats topic.
-
Example of counts of all Names grouped by Category Outcome: This aggregate function counts how many fields are in every group of events organized by Category Outcome.
| Category Outcome | Count of Names |
|---|---|
| /Failure | 2 |
| /Interrupt | 2 |
| /Success | 1 |
-
Example of counts of all the Distinct Names grouped by Category Outcome: The main difference from the previous example is the distinct flag, which tells the operator to count only one occurrence of the used field. If the are repeated values, the operator will consider only one of those values.
| Category Outcomes | Count of Distinct Names |
|---|---|
| /Failure | 2 |
| /Interrupt | 2 |
| /Success | 1 |
-
Example of the Sum all values from (bytes in field) grouped by Category Outcome: The sum function adds all the numeric values of bytes in field for every group of events.
| Category Outcome | Sum of Bytes in |
|---|---|
| /Failure | 3022 + 3009 = 6031 |
| /Interrupt | 3404 + 3063 + 3409 + 9876 |
| /Success | 3216 |
-
Example calculates the arithmetic average (avg) of the values from (bytes in field) grouped by Category outcome: The avg function calculates the average of all the numeric values of bytes in field for every group of events.
| Category Outcome | Average Bytes in |
|---|---|
| /Failure | 3015.5 |
| /Interrupt | 3292 |
| /Success | 3216 |
-
Example calculates the standard deviation (stdev) of the values from (bytes in field) grouped by Category outcome: The avg function calculates the standard deviation of all the numeric values of bytes in field for every group of events.
| Category Outcome | Stdev of Bytes in |
|---|---|
| /Failure | 6.5 |
| /Interrupt | 161.94 |
| /Success | 0 |
-
Example calculates the Minimum of the values from (bytes in field) grouped by Category Outcome: The Min function returns the minimum value of the Bytes in field for every group of events.
| Category Outcome | Min of Bytes in |
|---|---|
| /Failure | 3009 |
| /Interrupt | 3063 |
| /Success | 3216 |
-
Example calculates the Maximum of the values from the (Bytes in field) grouped by Category Outcome: The Max function gets the maximum value of bytes in field for every group of events.
| Category Outcome | Min Bytes in |
|---|---|
| /Failure | 3022 |
| /Interrupt | 3409 |
| /Success | 2316 |
-
Example calculates the latest date from (Normalized Event field) grouped by Category Outcome: The latest function gets the maximum date of Normalized event time field for every group of events.
| Category Outcome | Max of Normalized Event Time |
|---|---|
| /Failure | 12/29/22 11:34:15.635 |
| /Interrupt | 12/29/22 11:32:54.064 |
| /Success | 12/29/22 12:34:15.635 |
-
Example calculates the earliest date from (Normalized event field) grouped by Category outcome: The earliest function gets the minimum date of Normalized event time field for every group of events.
| Category Outcome | Min of Normalized Event Time |
|---|---|
| /Failure | 12/29/22 10:34:15.635 |
| /Interrupt | 12/29/22 12:34:15.635 |
| /Success | 11/04/22 10:10:02.000 |
For additional information about the construction and usage of the chart/stats operators, see the chart/stats overview, Syntax and Structure for chart/stats, and Cheat Sheet for chart/stats.
For information about other operators, functions, and syntax requirements, see Use an Operator in the Query.