sum

The sum aggregation in APL is used to compute the total sum of a specific numeric field in a dataset. This aggregation is useful when you want to find the cumulative value for a certain metric, such as the total duration of requests, total sales revenue, or any other numeric field that can be summed.

You can use the sum aggregation in a wide range of scenarios, such as analyzing log data, monitoring traces, or examining security logs. It is particularly helpful when you want to get a quick overview of your data in terms of totals or cumulative statistics.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk, you use the sum function in combination with the stats command to aggregate data. In APL, the sum aggregation works similarly but is structured differently in terms of syntax.

| stats sum(req_duration_ms) as total_duration

ANSI SQL users

In ANSI SQL, the SUM function is commonly used with the GROUP BY clause to aggregate data by a specific field. In APL, the sum function works similarly but can be used without requiring a GROUP BY clause for simple summations.

SELECT SUM(req_duration_ms) AS total_duration
FROM sample_http_logs

Usage

Syntax

summarize [<new_column_name> =] sum(<numeric_field>)

Parameters

<new_column_name>: (Optional) The name you want to assign to the resulting column that contains the sum.
<numeric_field>: The field in your dataset that contains the numeric values you want to sum.

Returns

The sum aggregation returns a single row with the sum of the specified numeric field. If used with a by clause, it returns multiple rows with the sum per group.

Use case examples

The sum aggregation can be used to calculate the total request duration in an HTTP log dataset.

Query

['sample-http-logs']
| summarize total_duration = sum(req_duration_ms)

Run in Playground

Output

total_duration
123456

This query calculates the total request duration across all HTTP requests in the dataset.

The sum aggregation can be used to calculate the total request duration in an HTTP log dataset.

Query

['sample-http-logs']
| summarize total_duration = sum(req_duration_ms)

Run in Playground

Output

total_duration
123456

This query calculates the total request duration across all HTTP requests in the dataset.

The sum aggregation can be applied to OpenTelemetry traces to calculate the total span duration.

Query

['otel-demo-traces']
| summarize total_duration = sum(duration)

Run in Playground

Output

total_duration
7890

This query calculates the total duration of all spans in the dataset.

You can use the sum aggregation to calculate the total number of requests based on a specific HTTP status in security logs.

Query

['sample-http-logs']
| where status == '200'
| summarize request_count = sum(1)

Run in Playground

Output

request_count
500

This query counts the total number of successful requests (status 200) in the dataset.

count: Counts the number of records in a dataset. Use count when you want to count the number of rows, not aggregate numeric values.
avg: Computes the average value of a numeric field. Use avg when you need to find the mean instead of the total sum.
min: Returns the minimum value of a numeric field. Use min when you’re interested in the lowest value.
max: Returns the maximum value of a numeric field. Use max when you’re interested in the highest value.
sumif: Sums a numeric field conditionally. Use sumif when you only want to sum values that meet a specific condition.

stdevif sumif

On this page

For users of other query languages
Usage
Syntax
Parameters
Returns
Use case examples
List of related aggregations

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk, you use the sum function in combination with the stats command to aggregate data. In APL, the sum aggregation works similarly but is structured differently in terms of syntax.

| stats sum(req_duration_ms) as total_duration

ANSI SQL users

SELECT SUM(req_duration_ms) AS total_duration
FROM sample_http_logs

Usage

Syntax

summarize [<new_column_name> =] sum(<numeric_field>)

Parameters

<new_column_name>: (Optional) The name you want to assign to the resulting column that contains the sum.
<numeric_field>: The field in your dataset that contains the numeric values you want to sum.

Returns

The sum aggregation returns a single row with the sum of the specified numeric field. If used with a by clause, it returns multiple rows with the sum per group.

Use case examples

The sum aggregation can be used to calculate the total request duration in an HTTP log dataset.

Query

['sample-http-logs']
| summarize total_duration = sum(req_duration_ms)

Run in Playground

Output

total_duration
123456

This query calculates the total request duration across all HTTP requests in the dataset.

The sum aggregation can be used to calculate the total request duration in an HTTP log dataset.

Query

['sample-http-logs']
| summarize total_duration = sum(req_duration_ms)

Run in Playground

Output

total_duration
123456

This query calculates the total request duration across all HTTP requests in the dataset.

The sum aggregation can be applied to OpenTelemetry traces to calculate the total span duration.

Query

['otel-demo-traces']
| summarize total_duration = sum(duration)

Run in Playground

Output

total_duration
7890

This query calculates the total duration of all spans in the dataset.

You can use the sum aggregation to calculate the total number of requests based on a specific HTTP status in security logs.

Query

['sample-http-logs']
| where status == '200'
| summarize request_count = sum(1)

Run in Playground

Output

request_count
500

This query counts the total number of successful requests (status 200) in the dataset.

count: Counts the number of records in a dataset. Use count when you want to count the number of rows, not aggregate numeric values.
avg: Computes the average value of a numeric field. Use avg when you need to find the mean instead of the total sum.
min: Returns the minimum value of a numeric field. Use min when you’re interested in the lowest value.
max: Returns the maximum value of a numeric field. Use max when you’re interested in the highest value.
sumif: Sums a numeric field conditionally. Use sumif when you only want to sum values that meet a specific condition.

stdevif sumif

On this page

For users of other query languages
Usage
Syntax
Parameters
Returns
Use case examples
List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

Get started

Functions

Operators

Reference

Migration

sum

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related aggregations

Get started

Functions

Operators

Reference

Migration

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related aggregations

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related aggregations