The sum aggregation in APL is used to compute the total sum of a specific numeric field in a dataset. This aggregation is useful when you want to find the cumulative value for a certain metric, such as the total duration of requests, total sales revenue, or any other numeric field that can be summed.

You can use the sum aggregation in a wide range of scenarios, such as analyzing log data, monitoring traces, or examining security logs. It’s particularly helpful when you want to get a quick overview of your data in terms of totals or cumulative statistics.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk, you use the sum function in combination with the stats command to aggregate data. In APL, the sum aggregation works similarly but is structured differently in terms of syntax.

```splunk Splunk example | stats sum(req_duration_ms) as total_duration ``` 
['sample-http-logs']
| summarize total_duration = sum(req_duration_ms)

In ANSI SQL, the SUM function is commonly used with the GROUP BY clause to aggregate data by a specific field. In APL, the sum function works similarly but can be used without requiring a GROUP BY clause for simple summations.

```sql SQL example SELECT SUM(req_duration_ms) AS total_duration FROM sample_http_logs ``` 
['sample-http-logs']
| summarize total_duration = sum(req_duration_ms)

Usage

Syntax

summarize [<new_column_name> =] sum(<numeric_field>)

Parameters

  • <new_column_name>: (Optional) The name you want to assign to the resulting column that contains the sum.
  • <numeric_field>: The field in your dataset that contains the numeric values you want to sum.

Returns

The sum aggregation returns a single row with the sum of the specified numeric field. If used with a by clause, it returns multiple rows with the sum per group.

Use case examples

The sum aggregation can be used to calculate the total request duration in an HTTP log dataset.

Query

['sample-http-logs']
| summarize total_duration = sum(req_duration_ms)

Run in Playground

Output

total_duration
123456

This query calculates the total request duration across all HTTP requests in the dataset.

The sum aggregation can be applied to OpenTelemetry traces to calculate the total span duration.

Query

['otel-demo-traces']
| summarize total_duration = sum(duration)

Run in Playground

Output

total_duration
7890

This query calculates the total duration of all spans in the dataset.

You can use the sum aggregation to calculate the total number of requests based on a specific HTTP status in security logs.

Query

['sample-http-logs']
| where status == '200'
| summarize request_count = sum(1)

Run in Playground

Output

request_count
500

This query counts the total number of successful requests (status 200) in the dataset.
  • count: Counts the number of records in a dataset. Use count when you want to count the number of rows, not aggregate numeric values.
  • avg: Computes the average value of a numeric field. Use avg when you need to find the mean instead of the total sum.
  • min: Returns the minimum value of a numeric field. Use min when you’re interested in the lowest value.
  • max: Returns the maximum value of a numeric field. Use max when you’re interested in the highest value.
  • sumif: Sums a numeric field conditionally. Use sumif when you only want to sum values that meet a specific condition.

Good morning

I'm here to help you with the docs.

I
AIBased on your context