Aggregation Functions
These examples show aggregation-only fragments. In a full task you combine them with timespan, and usually group_by / where / window as described in Aggregation & correlation and Reference.
Output shapes use a padas wrapper in some builds; your deployment may flatten metrics — confirm against GET …/status or sink payloads.
Also useful: PDL Quick Reference
Basic aggregation functions
Count
Totals events in the window (all rows, unless constrained by where).
count timespan=5m
Output:
{
"padas": {
"count": 4
}
}
Only count rows where field1 exists:
count(field1) timespan=5m
Output:
{
"padas": {
"count_field1": 4
}
}
Named metric:
count AS my_count timespan=5m
Output:
{
"my_count": 4
}
Distinct count
Unique values of field1 in the window.
distinct_count(field1) timespan=5m
Output:
{
"padas": {
"distinct_count_field1": 3
}
}
Shorthand:
dc(field1) timespan=5m
Statistical aggregations
Average
Mean of numeric samples.
avg(numeric_field) timespan=5m
Output:
{
"padas": {
"avg_numeric_field": 42.5
}
}
Median
median(numeric_field) timespan=5m
Output:
{
"padas": {
"median_numeric_field": 40.0
}
}
Minimum / maximum
min(numeric_field) timespan=5m
Output:
{
"padas": {
"min_numeric_field": 10.0
}
}
max(numeric_field) timespan=5m
Output:
{
"padas": {
"max_numeric_field": 100.0
}
}
Variance / standard deviation
variance(numeric_field) timespan=5m
Output:
{
"padas": {
"variance_numeric_field": 225.0
}
}
stddev(numeric_field) timespan=5m
Output:
{
"padas": {
"stddev_numeric_field": 15.0
}
}
Notes
- Every aggregation needs a
timespan(and optionallywindow=,slide=,gap=for sliding/session semantics — see Reference). - Without
AS, output keys often follow{function}_{field};AS aliasreplaces that pattern for that metric. - Combine multiple functions in one clause:
count AS n, avg(score) AS avg_score timespan=5m group_by tenant. group_byandwhereapply to all metrics in the same aggregation statement unless your engine documents otherwise.