The sumif aggregation function in Axiom Processing Language (APL) computes the sum of a numeric expression for records that meet a specified condition. This function is useful when you want to filter data based on specific criteria and aggregate the numeric values that match the condition. Use sumif when you need to apply conditional logic to sums, such as calculating the total request duration for successful HTTP requests or summing the span durations in OpenTelemetry traces for a specific service.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the sumif equivalent functionality requires using a stats command with a where clause to filter the data. In APL, you can use sumif to simplify this operation by combining both the condition and the summing logic into one function.
summarize total_duration = sumif(duration, status == '200')In ANSI SQL, achieving a similar result typically involves using a CASE statement inside the SUM function to conditionally sum values based on a specified condition. In APL, sumif provides a more concise approach by allowing you to filter and sum in a single function.
summarize total_duration = sumif(duration, status == '200')Usage
Syntax
sumif(numeric_expression, condition)Parameters
numeric_expression: The numeric field or expression you want to sum.condition: A boolean expression that determines which records contribute to the sum. Only the records that satisfy the condition are considered.
Returns
sumif returns the sum of the values in numeric_expression for records where the condition is true. If no records meet the condition, the result is 0.
Use case examples
In this use case, we calculate the total request duration for HTTP requests that returned a 200 status code.
Query
['sample-http-logs']
| summarize total_req_duration = sumif(req_duration_ms, status == '200')Output
| total_req_duration |
|---|
| 145000 |
This query computes the total request duration (in milliseconds) for all successful HTTP requests (those with a status code of 200).
In this example, we sum the span durations for the frontend service in OpenTelemetry traces.
Query
['otel-demo-traces']
| summarize total_duration = sumif(duration, ['service.name'] == 'frontend')Output
| total_duration |
|---|
| 32000 |
This query sums the span durations for traces related to the frontend service, providing insight into how long this service has been running over time.
Here, we calculate the total request duration for failed HTTP requests (those with status codes other than 200).
Query
['sample-http-logs']
| summarize total_req_duration_failed = sumif(req_duration_ms, status != '200')Output
| total_req_duration_failed |
|---|
| 64000 |
This query computes the total request duration for all failed HTTP requests (where the status code isn’t 200), which can be useful for security log analysis.
List of related aggregations
- avgif: Computes the average of a numeric expression for records that meet a specified condition. Use
avgifwhen you’re interested in the average value, not the total sum. - countif: Counts the number of records that satisfy a condition. Use
countifwhen you need to know how many records match a specific criterion. - minif: Returns the minimum value of a numeric expression for records that meet a condition. Useful when you need the smallest value under certain criteria.
- maxif: Returns the maximum value of a numeric expression for records that meet a condition. Use
maxifto identify the highest values under certain conditions.