NQL functions
Functions are predefined operations that aggregate datasets, enabling further analysis. They include operations like summing, averaging, and counting, often within grouped data. You can use aggregation functions with the compute and summarize clauses.
Syntax
devices during past 7d
| include execution.events during past 7d
| compute number_of_devices = device.count()devices during past 7d
| summarize c = count()In the following section you can find a list of all available aggregation functions with usage rules and examples.
Chaining of functions
You can call more than one function on the same field. Currently, the system supports chaining of the time_elapsed() function.
Example:
The following query returns the list of devices with the time elapsed since their last fast startup.
devices
| include device_performance.boots
| where type == fast_startup
| compute time_since_last_fast_startup = time.last().time_elapsed()Aggregated metrics
It's important to differentiate between functions and aggregated metrics. The data model contains various aggregated metrics simplifying access to information. They are defined as fields of the data model.
Field | Description | Example |
|---|---|---|
| Average value of the metric aggregated in the bucket. |
|
| Sum of all values of the metric aggregated in the bucket. |
|
| Number of aggregated values in the bucket. |
|
Smart aggregates
A smart aggregate is an aggregate on an aggregated metrics that abstracts the underlying computation. They are not fields of the data model. During the execution of a query, the parser computes them on the fly.
Aggregate | Description |
|---|---|
| Average value of the metric. |
| Sum of all values of the metric. |
| Maximum value of the metric. |
| Minimum value of the metric. |
| Number of aggregated values. |