Learn more about the Cortex Query Language comp stage that performs an aggregation against a field.
Syntax
comp <aggregate function1> (<field>) [as <alias>][,<aggregate function2>(<field>) [as <alias>],...] [by <field1>[,<field2>...]] [addrawdata = true|false as <target field>]comp <function> [as <alias>] by asc|desc <field1>[,<field2>...]
Description
The comp stage precedes functions calculating statistics for results, including aggregation functions, such as sum, min, or max, as well as approximate aggregate functions, such as approx_count or approx_top. At least one of the comp aggregate functions or comp approximate aggregate functions must be used. Yet, it's also possible to define a comp stage with both types of aggragate functions.
Use approximate aggregate functions to produce approximate results, instead of exact results used with regular aggregate functions, which are more scalable in terms of memory usage and time.
Use the alias clause to provide a column label for the comp results, and is optional.
The by clause identifies the rows in the result set that will be aggregated. This clause is optional. Provide one or more fields to this clause. All fields with matching values are used to perform the aggregation. For example, if you had records such as:
number,id,product 100,"se1","A55" 50,"se1","A60" 50,"se1","A60" 25,"se2","A55" 25,"se2","A60"
The you can aggregate on the number column, and perform aggregation based on matching values in the id and/or product column. So if you sum the number column by the id column, you would get two results:
200 for "se1"
50 for "se2"
If you summed by id and product, you would get:
100 for "se1" and "A55" (there are no matching pairs).
100 for "se1" and "A60" (there is one matching pair).
25 for "se2" and "A55" (there are no matching pairs).
25 for "se2" and "A60" (there are no matching pairs).
In addition, you can configure whether the raw data events are displayed by setting addrawdata to either true or false (default), which are used to configure the final comp results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.
Wildcard Aggregates
You can use a wildcard to perform an aggregate for every field contained in the result set, except for the field(s) specified in the by clause.
Note
Wildcards are only supported with aggregate functions and not approximate aggregate functions.
The syntax for this is:
comp <aggregate function>(*) as * [by [asc|desc] <field1>[,<field2>...]] [addrawdata = true|false as <target field>]
For wildcards to work, all of the fields contained in the result set that are not identified in the by clause must be aggregatable.
Examples
Sum the action_total_download values for all records with matching pairs of values for the actor_process_image_path and actor_process_command_line fields. The query returns a maximum of 100 xdr_data records and includes a raw_data column listing the raw data events used to display the final comp results.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | limit 100 | comp sum(Download) as total by Process_Path, Process_CMD addrawdata = true as raw_data
Using the panw_ngfw_traffic_raw dataset, sum the bytes_total, bytes_received, and bytes_sent values for every record contained in the result set with a matching value for source_ip. The query returns a maximum of 1000 xdr_data records and includes a raw_data column listing the raw data events used to display the final comp results.
Note
The comp stage runs on 1000 raw data events, but only a 100 will be displayed in the raw_data column.
dataset = panw_ngfw_traffic_raw | fields bytes_total, bytes_received, bytes_sent, source_ip | limit 1000 | comp sum(*) as * by source_ip addrawdata = true as raw_data
comp Aggregate Functions
The aggregate functions you can use with the comp stage are:
comp Approximate Aggregate Functions
The approximate aggregate functions you can use with the comp stage are: