Cortex Query Language sum function used with both comp and windowcomp stages.
Syntax
comp sum(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata = true|false [as <target field>]]
windowcomp sum(<field>) [by <field> [,<field>,...]] [sort [asc|desc] <field1> [, [asc|desc] <field2>,...]] [between 0|null|<number>|-<number> [and 0|null|<number>|-<number>] [frame_type=range]] [as <alias>]
Description
The sum() function is used to return the sum of an integer field over a group of rows. The function syntax and application is based on the preceding stage:
When the sum aggregation function is used with a comp stage, the function returns a single sum of an integer field for a group of rows, for all records that contain matching values for the fields identified in the by clause.
In addition, you can configure whether the raw data events are displayed by setting addrawdata to either true or false (default), which are used to configure the final comp results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.
When the sum aggregate function is used with a windowcomp stage, the function returns a single sum of an integer field for each row in the group of rows, for all records that contain matching values for the fields identified using a combination of the by clause, sort, and between window frame clause. The results are provided in a new column in the results table.
Examples
Return a single sum of the action_total_download field for a group of rows, for all records that have matching values for their actor_process_image_path and actor_process_command_line values. The query calculates a maximum of 100 xdr_data records and includes a raw_data column listing a single value for the results.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | limit 100 | comp sum(Download) as total_download by Process_Path, Process_CMD addrawdata = true as raw_data
Return the download to upload ratio per process. The query returns a maximum of 100 xdr_data records in new columns called sum_upload and sum_download.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download, action_total_upload as Upload | filter Download > 0 | limit 100 | windowcomp sum(Download) by Process_Path, Process_CMD as sum_download | windowcomp sum(Upload) by Process_Path, Process_CMD as sum_upload | fields - Download ,Upload | dedup Process_CMD, Process_Path, sum_download ,sum_upload | alter ration = divide(sum_download ,sum_upload)