COUNT_IF

The number of true values in the time window.

Syntax

COUNT_IF(VALUE)

Arguments

VALUE: A BOOLEAN expression that can be either a calculated field or a column from the data streams. .

Returns

A number

AVAILABLE IN

Output Type: Availablity Aggregated Outputs: YES Explicit Lookup Table: YES Inline Joins\Lookups: YES

Example

Count number of sample events in general, and the number of security-related events specifically.

Data

{
   "type":"event",
   "id":"1",
   "data":"sample data",
   "extendeddata":"application"
}{
   "type":"event",
   "id":"2",
   "data":"sample data",
   "extendeddata":"security"
}{
   "type":"event",
   "id":"3",
   "data":"sample data",
   "extendeddata":"application"
}{
   "type":"event",
   "id":"5",
   "data":"production data",
   "extendeddata":"application"
}{
   "type":"event",
   "id":"7",
   "data":"production data",
   "extendeddata":"security"
}

Query:

SELECT
   type,
   COUNT_IF(data = 'sample data') as data,
   COUNT_IF(data = 'sample data' 
   AND extendeddata = 'security') as security 
FROM
   stream 
GROUP BY
   type

Results:

type data security event 3 ‌ 1

COUNT COUNT(*) COUNT_DISTINCT COUNT_EACH

Dialog

PreviousCOUNT_EACH NextDECAYED_SUM

Last updated 3 years ago

Was this helpful?