Skip to main content

Aggregation Functions

Aggregation functions are used in group compute, every compute, running, enrich (Lynx Flow) and stats, timechart, eventstats, streamstats (SPL2).

count

Count the number of events.

| stats count
| stats count AS total_events
| stats count(field)                    -- count non-null values
| stats count(eval(status>=500)) AS errors  -- conditional count

sum

Sum of numeric field values.

| stats sum(bytes) AS total_bytes by source

avg

Average (mean) of numeric field values.

| stats avg(duration_ms) AS avg_latency by endpoint

min / max

Minimum and maximum values.

| stats min(duration_ms) AS fastest, max(duration_ms) AS slowest by uri

dc (Distinct Count)

Count of unique values.

| stats dc(user_id) AS unique_users by endpoint
| stats dc(source) AS source_count

values

List of distinct values (returned as a multivalue field).

| stats values(level) AS seen_levels by source

stdev

Standard deviation.

| stats stdev(duration_ms) AS latency_stddev by endpoint

Percentiles

Compute percentile values with the fixed percentile aggregations: perc25, perc50, perc75, perc90, perc95, perc99.

| stats perc25(duration_ms) AS p25,
        perc50(duration_ms) AS median,
        perc95(duration_ms) AS p95,
        perc99(duration_ms) AS p99
  by endpoint

perc50 is the median. Percentiles use the t-digest algorithm for memory-efficient approximate computation. Variable-percentile syntax such as percentile(duration_ms, 99.9) is not currently supported.

earliest / latest

First and last values by _time. first is an alias of earliest, and last is an alias of latest.

| stats earliest(status) AS first_status, latest(status) AS last_status by host

Conditional Aggregation

Use eval() inside count or other functions for conditional aggregation:

| stats count AS total,
        count(eval(status>=500)) AS errors,
        count(eval(status>=200 AND status<300)) AS success
  by uri
| eval error_rate = round(errors/total*100, 1)

Summary Table

FunctionDescriptionExample
countCount eventscount, count(field), count(eval(...))
sum(f)Sum valuessum(bytes)
avg(f)Averageavg(duration_ms)
min(f)Minimummin(duration_ms)
max(f)Maximummax(duration_ms)
dc(f)Distinct countdc(user_id)
values(f)Distinct values listvalues(level)
stdev(f)Standard deviationstdev(duration_ms)
perc25(f)25th percentileperc25(duration_ms)
perc50(f)Median (50th pct)perc50(duration_ms)
perc75(f)75th percentileperc75(duration_ms)
perc90(f)90th percentileperc90(duration_ms)
perc95(f)95th percentileperc95(duration_ms)
perc99(f)99th percentileperc99(duration_ms)
earliest(f) / first(f)First by timeearliest(status)
latest(f) / last(f)Last by timelatest(status)