Used to compute multiple aggregate functions over the input.

It produces one row of data that contains both min and max results.

ParameterTypeRequiredDefaultDescription
function[a]Array of Aggregate Functionsoptional[b]count(as=_count) Specifies which aggregate functions to perform on each group.

[a] The argument name function can be omitted.

[b] Optional parameters use their default value unless explicitly set

Omitted Argument Names

The argument name for function can be omitted; the following forms of this function are equivalent:

logscale
stats("count(as=_count)")

and:

logscale
stats(function="count(as=_count)")

These examples show basic structure only; full examples are provided below.

The stats() is also available as a shorthand syntax by declaring an array of functions:

logscale
...
| stats(function=[min(), max()])

Is equivalent to:

logscale
...
| [min(),max()]

stats() Examples

The following query is equivalent to just count():

logscale
stats(function=count())

To finx the maximum and minimum:

logscale
[min_response := min(responsetime), max_response := max(responsetime)]

The stats() can also be combined with the groupBy() function:

logscale
groupBy(
  ["RemoteAddressIP4", "Country", "Region", "City"], 
  function=stats(function=[
    collect(UserName, as=computersTargeted),
    count(aid, as=loginAttempts),
    count(aid, as=totalSystemsTargeted, distinct=true)
  ])
)

Or as it's syntax equivalent:

logscale
groupBy(
  ["RemoteAddressIP4", "Country", "Region", "City"], 
  function=[
    collect(UserName, as=computersTargeted),
    count(aid, as=loginAttempts),
    count(aid, as=totalSystemsTargeted, distinct=true)
  ]
)

This groups the content by the IP address and location, and then performs count() on those aggregated values for the numger of login attempts and number of systems.