 Download topic as PDF

# Aggregation

The following are scalar functions that you can use in the `stats` and `aggregate with trigger` streaming functions to perform calculations over data in a given time-window.

## average(value)

Calculates the average (mean) of values in a time window.

Function Input
value: T
Function Output
double

### SPL2 example

The following example returns the average (mean) "size" for each distinct "host".

`...| stats average(size) BY host, span(timestamp, 50s, 10s) |...; `

Alternatively, you can use named arguments. See SPL2 syntax for more details.

`...| stats average(value: size) BY host, span(timestamp, 50s, 10s) |...; `

## count(value)

Returns the number of non-null values in a time window.

Function Input
value: any
Function Output
long

### SPL2 example

Returns the count of the "status_code" field.

```...| stats count(status_code) by status_code, span(window_start, 5000ms, 1000ms, 1000ms) |...;
```

Alternatively, you can use named arguments. See SPL2 syntax for more details.

```...| stats count(value: status_code) by status_code, span(window_start, 5000ms, 1000ms, 1000ms) |...;
```

## etsdc(value)

Estimated Distinct Count (estdc) is a stats function that calculates an approximated distinct count value for any field. This function works with ~1.5% error bound.

Function Input
value: string
Function Output
long

### SPL2 example

```... | stats estdc(input) by span(timestamp, 10ms);
```

## max(value)

Returns the maximum value in a time window.

Function Input
value: number
Function Output
number

### SPL2 example

Returns the maximum value of the "time_taken" field.

```...| stats max(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```

Alternatively, you can use named arguments. See SPL2 syntax for more details.

```...| stats max(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```

## mean(value)

Calculates the average (mean) of values in a time window.

Function Input
value: number
Function Output
double

### SPL2 example

Returns the average value of the "time_taken" field.

```...| stats mean(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```

Alternatively, you can use named arguments. See SPL2 syntax for more details.

```...| stats mean(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```

## min(value)

Returns the minimum value in a time window.

Function Input
value: number
Function Output
number

### SPL2 example

Returns the minimum value of the "time_taken" field.

```...| stats min(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```

Alternatively, you can use named arguments. See SPL2 syntax for more details.

```...| stats min(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```

## perc(value)

Percentiles (perc) is a stats function that computes the approximate q-th percentile value of a numeric field input field with ~1.5% error bound. The perc(input, 0.75) field in the resulting set should contain appropriate percentile value.

Function Input
value: number
Function Output
T

### SPL2 example

```...| stats perc(input, 0.75) by span(timestamp, 10ms);
```

## sum(value)

Returns the sum of values in a time window.

Function Input
value: number
Function Output
number

### SPL2 example

Returns the sum of the "time_taken" field.

```...| stats sum(time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```

Alternatively, you can use named arguments. See SPL2 syntax for more details.

```...| stats sum(value: time_taken) by time_taken, span(timestamp, 50s, 10s) |...;
```