This operation can be used in two different ways:
- If you use it with no arguments, it returns the number of events in each group.
- If you specify an argument, it returns the number of non-null values in each group.
How does it work in the search window?
After grouping the data, select Aggregation in the search window toolbar, then select the Count operation. As said before, this operation works both with and without arguments.
The data type of the aggregated values is integer.
demo.ecommerce.data table, we want to check if there is any null IP address value in each 5-minute period. Before aggregating the data, the table must be grouped in 5-minute intervals.
The arguments needed for the aggregation are:
- Count - clientIpAddress column
Click Aggregate function and you will see the following result:
How does it work in LINQ?
Group your data using the following structure:
as... to add the new column that will show the aggregated values. These are the valid syntaxes for the Count operation:
count()→ Returns the number of events in each group.
count(number)→ Returns the number of non-null values in each group of the selected field.
See Build a query using LINQ to learn more about grouping and aggregating your data using the LINQ language.
You can copy the following LINQ script and try the above example on the
from demo.ecommerce.data group every 5m every 5m select count(clientIpAddress) as null_IP_addresses
The following query shows the count of bytesTransferred records for each method / statusCode unique occurence every 10-minute period. In this case, no argument is specified in the Count operation.
from demo.ecommerce.data group every 10m by statusCode, method every 10m select count() as bytesTransferred_rows