avg

The avg aggregation in APL calculates the average value of a numeric field across a set of records. You can use this aggregation when you need to determine the mean value of numerical data, such as request durations, response times, or other performance metrics. It is useful in scenarios such as performance analysis, trend identification, and general statistical analysis.

When to use avg:

When you want to analyze the average of numeric values over a specific time range or set of data.
For comparing trends, like average request duration or latency across HTTP requests.
To provide insight into system or user performance, such as the average duration of transactions in a service.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk SPL, the avg function works similarly, but the syntax differs slightly. Here’s how to write the equivalent query in APL.

| stats avg(req_duration_ms) by status

ANSI SQL users

In ANSI SQL, the avg aggregation is used similarly, but APL has a different syntax for structuring the query.

SELECT status, AVG(req_duration_ms)
FROM sample_http_logs
GROUP BY status

Usage

Syntax

summarize avg(ColumnName) [by GroupingColumn]

Parameters

ColumnName: The numeric field you want to calculate the average of.
GroupingColumn (optional): A column to group the results by. If not specified, the average is calculated over all records.

Returns

A table with the average value for the specified field, optionally grouped by another column.

Use case examples

This example calculates the average request duration for HTTP requests, grouped by status.

Query

['sample-http-logs']
| summarize avg(req_duration_ms) by status

Run in Playground

Output

status	avg_req_duration_ms
200	350.4
404	150.2

This query calculates the average request duration (in milliseconds) for each HTTP status code.

This example calculates the average request duration for HTTP requests, grouped by status.

Query

['sample-http-logs']
| summarize avg(req_duration_ms) by status

Run in Playground

Output

status	avg_req_duration_ms
200	350.4
404	150.2

This query calculates the average request duration (in milliseconds) for each HTTP status code.

This example calculates the average span duration for each service to analyze performance across services.

Query

['otel-demo-traces']
| summarize avg(duration) by ['service.name']

Run in Playground

Output

service.name	avg_duration
frontend	500ms
cartservice	250ms

This query calculates the average duration of spans for each service.

In security logs, you can calculate the average request duration by country to analyze regional performance trends.

Query

['sample-http-logs']
| summarize avg(req_duration_ms) by ['geo.country']

Run in Playground

Output

geo.country	avg_req_duration_ms
US	400.5
DE	250.3

This query calculates the average request duration for each country from where the requests originated.

sum: Use sum to calculate the total of a numeric field. This is useful when you want the total of values rather than their average.
count: The count function returns the total number of records. It’s useful when you want to count occurrences rather than averaging numerical values.
min: The min function returns the minimum value of a numeric field. Use this when you’re interested in the smallest value in your dataset.
max: The max function returns the maximum value of a numeric field. This is useful for finding the largest value in the data.
stdev: This function calculates the standard deviation of a numeric field, providing insight into how spread out the data is around the mean.

arg_max avgif

On this page

For users of other query languages
Usage
Syntax
Parameters
Returns
Use case examples
List of related aggregations

When to use avg:

When you want to analyze the average of numeric values over a specific time range or set of data.
For comparing trends, like average request duration or latency across HTTP requests.
To provide insight into system or user performance, such as the average duration of transactions in a service.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk SPL, the avg function works similarly, but the syntax differs slightly. Here’s how to write the equivalent query in APL.

| stats avg(req_duration_ms) by status

ANSI SQL users

In ANSI SQL, the avg aggregation is used similarly, but APL has a different syntax for structuring the query.

SELECT status, AVG(req_duration_ms)
FROM sample_http_logs
GROUP BY status

Usage

Syntax

summarize avg(ColumnName) [by GroupingColumn]

Parameters

ColumnName: The numeric field you want to calculate the average of.
GroupingColumn (optional): A column to group the results by. If not specified, the average is calculated over all records.

Returns

A table with the average value for the specified field, optionally grouped by another column.

Use case examples

This example calculates the average request duration for HTTP requests, grouped by status.

Query

['sample-http-logs']
| summarize avg(req_duration_ms) by status

Run in Playground

Output

status	avg_req_duration_ms
200	350.4
404	150.2

This query calculates the average request duration (in milliseconds) for each HTTP status code.

This example calculates the average request duration for HTTP requests, grouped by status.

Query

['sample-http-logs']
| summarize avg(req_duration_ms) by status

Run in Playground

Output

status	avg_req_duration_ms
200	350.4
404	150.2

This query calculates the average request duration (in milliseconds) for each HTTP status code.

This example calculates the average span duration for each service to analyze performance across services.

Query

['otel-demo-traces']
| summarize avg(duration) by ['service.name']

Run in Playground

Output

service.name	avg_duration
frontend	500ms
cartservice	250ms

This query calculates the average duration of spans for each service.

In security logs, you can calculate the average request duration by country to analyze regional performance trends.

Query

['sample-http-logs']
| summarize avg(req_duration_ms) by ['geo.country']

Run in Playground

Output

geo.country	avg_req_duration_ms
US	400.5
DE	250.3

This query calculates the average request duration for each country from where the requests originated.

sum: Use sum to calculate the total of a numeric field. This is useful when you want the total of values rather than their average.
count: The count function returns the total number of records. It’s useful when you want to count occurrences rather than averaging numerical values.
min: The min function returns the minimum value of a numeric field. Use this when you’re interested in the smallest value in your dataset.
max: The max function returns the maximum value of a numeric field. This is useful for finding the largest value in the data.
stdev: This function calculates the standard deviation of a numeric field, providing insight into how spread out the data is around the mean.

arg_max avgif

On this page

For users of other query languages
Usage
Syntax
Parameters
Returns
Use case examples
List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

Get started

Functions

Operators

Reference

Migration

avg

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related aggregations

Get started

Functions

Operators

Reference

Migration

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related aggregations