Aggregate Functions
Introduction to Aggregate Functions Aggregate function overview and categories
Aggregate functions combine multiple rows into a single summary value. They are used inside the summarize operator:
logs | summarize total = count() , error_rate = countif (severity_number >= 17 ) * 1.0 / count() , p95 = percentile (duration_ms, 95 ) by service, bin (timestamp, 5m ) Each aggregate collapses the rows in a group into one output row. The by clause defines the grouping keys. For a full introduction to writing queries, see Writing Queries .
Function Description avg Calculates the average of values in the group. count Returns a count of the records in the input record set. countif Returns a count of the records for which a predicate is true. dcount Returns an estimate for the number of distinct values of the expression in the group. dcountif Returns an estimate for the number of distinct values of the expression in the group, for which the predicate evaluates to true. max Returns the maximum value across the group. min Returns the minimum value across the group. stdev Calculates the sample standard deviation of values in the group. stdevif Calculates the sample standard deviation of values for which the predicate is true. stdevp Calculates the population standard deviation of values in the group. sum Calculates the sum of values in the group. take_any Returns an arbitrary non-null value from the group. take_anyif Returns an arbitrary non-null value from the group for which the predicate is true.
Function Description arg_max Returns both the maximum value and the corresponding return expression from the row where the first expression is maximum. arg_min Returns both the minimum value and the corresponding return expression from the row where the first expression is minimum.
Function Description first Returns the value of the expression from the row with the earliest timestamp. last Returns the value of the expression from the row with the latest timestamp. make_list Returns a dynamic (JSON) array of all values of Expr in the group. make_set Returns a dynamic (JSON) array of all distinct values of Expr in the group.
Function Description hll Creates a HyperLogLog sketch. hll_if Creates a HyperLogLog sketch for records where the predicate evaluates to true. hll_merge Merges multiple HyperLogLog sketches. merge_tdigest Merges multiple T-Digest sketches. percentile Calculates the specified percentile. tdigest Creates a T-Digest sketch from numeric values.
Function Description counter_rate Computes per-second rate from OpenTelemetry cumulative counters using start_time for reset detection. deriv Computes the derivative (rate of change) for a gauge metric. rate Computes the per-second rate of change for a counter metric, handling counter resets.