NQL compute

The compute command aggregates and extracts metrics from the events table and appends it to the results table as a new column with metric per object. It can be used only after a with or include clause.

Syntax

...
| include... 
| compute <new_metric> = <metric>.<aggregation function>

...
| with... 
| compute <new_metric> = <metric>.<aggregation function>

Example

devices during past 7d
| include execution.crashes during past 7d
| compute nb_crashes = number_of_crashes.sum()

Using with the ‘count()’ function

When used without a field specified, the count() aggregation function applies to the event table. For example, in the following query the compute clause appends new column with the number of boots per device.

devices during past 7d
| include device_performance.boots during past 7d
| compute nb_boots = count()

You can also count the unique inventory objects as a new column, using the <object>.count() syntax. It appends a new column with either 1 or 0 as the value, based on whether the object has relevant events or not. In the following example, the compute clause returns 1 for the devices that have been booted during past 7 days, and 0 for devices with no boots recorded in that time period. In the last statement, summarize clause is used for computing the ratio of devices with boots.

devices during past 7d
| include device_performance.boots during past 7d
| compute nb_devices_with_boots = device.count()
| summarize ratio_devices_with_boots = nb_devices_with_boots.sum()/count()

Last updated 5 months ago