Aggregate Functions
Introduction to Aggregate Functions Copy MarkdownAggregate function overview and categories
Aggregate functions combine multiple rows into a single summary value. They are used inside the summarize operator:
logs
| summarize
total = count() ,
error_rate = countif (severity_number >= 17 ) * 1.0 / count() ,
p95 = percentile (duration_ms, 95 )
by service, bin (timestamp, 5m )
Each aggregate collapses the rows in a group into one output row. The by clause defines the grouping keys. For a full introduction to writing queries, see Writing Queries .
summarize holds aggregate state in memory and merges it before producing results, so wide group-by keys, long time ranges, or heavy per-group state (percentiles, make_set/make_list, histograms) can grow it without bound. To stay safe under load, each summarize runs under a per-operator memory budget. When a query exceeds it, the engine degrades instead of failing or running the cluster out of memory: it keeps a representative subset of series — dropping whole series, never punching holes in a timechart — and returns a coverage warning telling you what fraction was retained. If there is no series axis to drop (for example grouping by bin(timestamp, …) alone), the query fails with an actionable error rather than a silently wrong result. Tune it per query with hint.budget=<size> and hint.sample={sample | heaviest}.
Function Description avg Calculates the average of values in the group. avgif Calculates the average of values in the group for which the predicate evaluates to true. count Returns a count of the records in the input record set. countif Returns a count of the records for which a predicate is true. dcount Returns an estimate for the number of distinct values of the expression in the group. dcountif Returns an estimate for the number of distinct values of the expression in the group, for which the predicate evaluates to true. max Returns the maximum value across the group. min Returns the minimum value across the group. stdev Calculates the sample standard deviation of values in the group. stdevif Calculates the sample standard deviation of values for which the predicate is true. stdevp Calculates the population standard deviation of values in the group. sum Calculates the sum of values in the group. sumif Calculates the sum of values in the group for which the predicate evaluates to true. take_any Returns an arbitrary non-null value from the group. take_anyif Returns an arbitrary non-null value from the group for which the predicate is true.
Function Description arg_max Returns both the maximum value and the corresponding return expression from the row where the first expression is maximum. arg_min Returns both the minimum value and the corresponding return expression from the row where the first expression is minimum.
Function Description first Returns the value of the expression from the row with the earliest timestamp. last Returns the value of the expression from the row with the latest timestamp. make_list Returns a dynamic (JSON) array of all values of Expr in the group. make_list_if Returns a dynamic (JSON) array of values of expr for the rows in the group where predicate is true. make_set Returns a dynamic (JSON) array of all distinct values of Expr in the group. make_set_if Returns a dynamic (JSON) array of distinct values of expr for the rows in the group where predicate is true.
Function Description hll Creates a HyperLogLog sketch. hll_if Creates a HyperLogLog sketch for records where the predicate evaluates to true. hll_merge Merges multiple HyperLogLog sketches. merge_tdigest Merges multiple T-Digest sketches. otel_histogram_merge Merges OpenTelemetry histogram data points (explicit-boundary or exponential). otel_histogram_percentile Aggregate that merges OpenTelemetry histogram data points and extracts one or more percentiles from the merged result. percentile Calculates the specified percentile of a numeric column using DDSketch. tdigest Creates a T-Digest sketch from numeric values.
Function Description deriv Computes the derivative (rate of change) for a gauge metric. otel_histogram_rate Per-second rate of observation count for an OpenTelemetry histogram metric. otel_rate Computes the per-second rate from an OpenTelemetry type=sum metric. rate Computes the per-second rate of change for a counter metric, handling counter resets.