Aggregations are operations that can be performed on table data that has already been grouped. Aggregate functions perform a calculation on a set of values, and return a single value. Operations include counting records in a group, identifying the minimum or maximum value in a group, or calculating the sum of field values in a group.
When you create an aggregation, a new column appears in the table displaying the results of the operation. You can add multiple aggregations to your query but you cannot use an existing aggregation as an argument for a new one, nor can you use any of the query's grouping keys (columns used to group the events).
Having already grouped your table data, follow these steps to aggregate the grouped values:
- Select the with the Aggregate function option selected. icon from the query window toolbar. The Operations Over Columns window appears
- The Column Name is calculated automatically based upon the aggregation and arguments you choose. However, you can edit this value if you prefer. Select the Aggregation dropdown list to select the type of aggregation you will perform on the selected argument. To get more information about an aggregation type, click the info icon. Click New Argument to select the arguments on which you want to perform the aggregation.
- When you're done, select Aggregate function to add the column containing the aggregated values to the table.
See Aggregate operations for more information on the functions you can use when aggregating data.