Tabular Operators
summarize operator
Produces a table that aggregates the content of the dataset.
Syntax
| summarize [[Column =] Aggregation [, ...]] [by [Column =] GroupExpression [, ...]]Arguments
| name | type | description |
|---|---|---|
| Field | string | Result Field Name |
| Aggregation | function | A call to an aggregation function such as min() or max(), with Field names as arguments. |
| GroupExpression | expression | A scalar expression that can reference the dataset |
Returns
- The input rows are arranged into groups having the same values of the
byexpressions. - Then the specified aggregation functions are computed over each group, producing a row for each group.
- The result contains the
bycolumns and also at least one column for each computed aggregate. (Some aggregation functions return multiple columns.)
Example
['http-logs']
| summarize topk(content_type, 20)githubreleaseevent
| summarize topk(repo, 20) by bin(_time, 24h)Returns a table that shows the heatmap in each interval [0, 30], [30, 20, 10], and so on. This example has a cell for HISTOGRAM(req_duration_ms).
['http-logs']
| summarize histogram(req_duration_ms, 30)githubpushevent
| where _time > ago(7d)
| where repo contains "axiom"
| summarize count(), numCommits=sum(size) by _time=bin(_time, 3h), repo
| take 100
