countif
The countif aggregation function counts events based on a predicate.
Use this function with the summarize, eventstats, and timestats operators.
If you need to count non-null values regardless of truthiness, use the
countaggregation function.
Syntax
countif( Predicate )
Arguments
- Predicate: An expression used for aggregation calculation. Use any scalar expression that returns a
boolvalue. Wildcards are not supported for field names.
Results
Returns a count of rows for which Predicate evaluates to true.
Examples
This example summarizes byte counts (with a minimum value of 11), by source address:
dataset="cribl_search_sample" dataSource="vpcflowlogs"
| summarize gtthan10Count=countif(bytes > 10) by srcaddr