maxif aggregation in APL

Introduction

The maxif aggregation function in APL is useful when you want to return the maximum value from a dataset based on a conditional expression. This allows you to filter the dataset dynamically and only return the maximum for rows that satisfy the given condition. It’s particularly helpful for scenarios where you want to find the highest value of a specific metric, like response time or duration, but only for a subset of the data (e.g., successful responses, specific users, or requests from a particular geographic location). You can use the maxif function when analyzing logs, monitoring system traces, or inspecting security-related data to get insights into the maximum value under certain conditions.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk SPL, you might use the stats max() function alongside a conditional filtering step to achieve a similar result. APL’s maxif function combines both operations into one, streamlining the query.

| stats max(req_duration_ms) as max_duration where status="200"

ANSI SQL users

In ANSI SQL, you typically use the MAX function in conjunction with a WHERE clause. APL’s maxif allows you to perform the same operation with a single aggregation function.

SELECT MAX(req_duration_ms) 
FROM logs 
WHERE status = '200';

Usage

Syntax

summarize maxif(column, condition)

Parameters

column: The column containing the values to aggregate.
condition: The condition that must be true for the values to be considered in the aggregation.

Returns

The maximum value from column for rows that meet the condition. If no rows match the condition, it returns null.

Use case examples

In log analysis, you might want to find the maximum request duration, but only for successful requests.Query

['sample-http-logs']
| summarize maxif(req_duration_ms, status == "200")

Run in PlaygroundOutput

max_req_duration
1250

This query returns the maximum request duration (req_duration_ms) for HTTP requests with a 200 status.

minif: Returns the minimum value from a column for rows that satisfy a condition. Use minif when you’re interested in the lowest value under specific conditions.
max: Returns the maximum value from a column without filtering. Use max when you want the highest value across the entire dataset without conditions.
sumif: Returns the sum of values for rows that satisfy a condition. Use sumif when you want the total value of a column under specific conditions.
avgif: Returns the average of values for rows that satisfy a condition. Use avgif when you want to calculate the mean value based on a filter.
countif: Returns the count of rows that satisfy a condition. Use countif when you want to count occurrences that meet certain criteria.

Get started

Functions

Operators

Reference

Migration

maxif

maxif aggregation in APL

Introduction

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

Get started

Functions

Operators

Reference

Migration

​maxif aggregation in APL

​Introduction

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related aggregations

maxif aggregation in APL

Introduction

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related aggregations