NQL count()

The count() function returns the number of unique objects or punctual events.

Using with the ‘compute’ clause

For objects:

It returns the number of unique objects.

devices during past 7d
| include execution.events during past 7d
| compute number_of_devices = device.count()

For punctual events:

It computes the number of events per object.

devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes_ = count()

For sampled events:

It is not recommended to use the count() function on sampled events as it will return the number of data samples, not the actual number of events.

Using with the ‘summarize’ clause

When used with the summarize clause, the count() function always returns the number of records in the root table.

For objects:

It returns the number of objects.

devices during past 7d
| summarize c1 = count()

For punctual events:

It returns the number of events.

execution.crashes during past 7d
| summarize c1 = number_of_crashes.count()

Note that the following query returns the number of records of root table (in this case, devices), not the number of unique events. To count events, use the sum() function in the summarize clause instead.

devices during past 7d
| include execution.crashes during past 7d
| compute number_of_crashes_ = number_of_crashes.count()
| summarize c1 = number_of_crashes_.count()

For sampled events:

It is not recommended to use the count() function on sampled events as it will return the number of data samples, not the actual number of events.

Last updated 17 days ago