# NQL functions

Functions are predefined operations that aggregate datasets, enabling further analysis. They include operations like summing, averaging, and counting, often within grouped data. You can use aggregation functions with the `compute` and `summarize` clauses.

## Syntax <a href="#nqlfunctions-syntax" id="nqlfunctions-syntax"></a>

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d 
| include device_performance.system_crashes during past 7d 
| compute number_of_crashes = number_of_system_crashes.sum()
```

{% endcode %}

## Aggregated metrics <a href="#nqlfunctions-aggregatedmetrics" id="nqlfunctions-aggregatedmetrics"></a>

It's important to differentiate between functions and **aggregated metrics.** The data model contains various aggregated metrics simplifying access to information. They are defined as fields of the data model.

<table data-full-width="false"><thead><tr><th width="196">Field</th><th width="269">Description</th><th>Example</th></tr></thead><tbody><tr><td><code>&#x3C;metric>.avg</code></td><td>Average value of the metric aggregated in the bucket.</td><td><code>where unload_event.avg > 1.0</code></td></tr><tr><td><code>&#x3C;metric>.sum</code></td><td>Sum of all values of the metric aggregated in the bucket.</td><td><code>where unload_event.sum == 10</code></td></tr><tr><td><code>&#x3C;metric>.count</code></td><td>Number of aggregated values in the bucket.</td><td><code>where unload_event.count &#x3C;= 4</code></td></tr><tr><td><code>&#x3C;metric>.min</code></td><td></td><td></td></tr><tr><td></td><td></td><td></td></tr></tbody></table>

## Smart aggregates <a href="#nqlfunctions-smartaggregates" id="nqlfunctions-smartaggregates"></a>

A smart aggregate is an aggregate on an aggregated metrics that abstracts the underlying computation. They are not fields of the data model. During the execution of a query, the parser computes them on the fly.

<table data-full-width="false"><thead><tr><th width="222">Aggregate</th><th>Description</th></tr></thead><tbody><tr><td><code>&#x3C;metric>.avg()</code></td><td>Average value of the metric.<br>It is equivalent to <code>&#x3C;metric>.sum.sum() / &#x3C;metric>.count.sum()</code></td></tr><tr><td><code>&#x3C;metric>.sum()</code></td><td>Sum of all values of the metric.<br>It is equivalent to <code>&#x3C;metric>.sum.sum()</code></td></tr><tr><td><code>&#x3C;metric>.max()</code></td><td>Maximum value of the metric.<br>It is equivalent to <code>&#x3C;metric>.max.max()</code></td></tr><tr><td><code>&#x3C;metric>.min()</code></td><td>Minimum value of the metric.<br>It is equivalent to <code>&#x3C;metric>.min.min()</code></td></tr><tr><td><code>&#x3C;metric>.count()</code></td><td>Number of aggregated values.<br>It is equivalent to <code>&#x3C;metric>.count.sum()</code></td></tr></tbody></table>

**Example:**

Retrieve a list of devices with less than 3GB of average free memory. The following query includes the `free_memory.avg()` smart aggregate in a `compute` clause. It computes the average free memory based on the same underlying data points as `free_memory.avg` aggregated metrics. It is equivalent to `free_memory.avg.avg().`

{% code overflow="wrap" lineNumbers="true" %}

```
devices during past 7d
| with device_performance.events during past 7d
| compute avg_free_memory = free_memory.avg()
| where avg_free_memory < 3GB
```

{% endcode %}

## Chaining of functions <a href="#nqlfunctions-chainingoffunctions" id="nqlfunctions-chainingoffunctions"></a>

You can call more than one function on the same field. Currently, the system supports chaining of the `time_elapsed()` function.

**Example:**

The following query returns the list of devices with the time elapsed since their last fast startup.

{% code overflow="wrap" lineNumbers="true" %}

```
devices
| include device_performance.boots
| where type == fast_startup
| compute time_since_last_fast_startup = time.last().time_elapsed()
```

{% endcode %}

In the following section you can find a list of all available functions with usage rules and examples.