The countif aggregation function in Axiom Processing Language (APL) counts the number of records that meet a specified condition. You can use this aggregation to filter records based on a specific condition and return a count of matching records. This is particularly useful for log analysis, security audits, and tracing events when you need to isolate and count specific data subsets. Use countif when you want to count occurrences of certain conditions, such as HTTP status codes, errors, or actions in telemetry traces.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, conditional counting is typically done using the eval function combined with stats. APL provides a more streamlined approach with the countif function, which performs conditional counting directly.
| stats count(eval(status="500")) AS error_count
In ANSI SQL, conditional counting is achieved by using the COUNT function with a CASE statement. In APL, countif simplifies this process by offering a direct approach to conditional counting.
SELECT COUNT(CASE WHEN status = '500' THEN 1 END) AS error_count
FROM sample_http_logs

Usage

Syntax

countif(condition)

Parameters

  • condition: A boolean expression that filters the records based on a condition. Only records where the condition evaluates to true are counted.

Returns

The function returns the number of records that match the specified condition.

Use case examples

In log analysis, you might want to count how many HTTP requests returned a 500 status code to detect server errors.Query
['sample-http-logs']
| summarize countif(status == '500')
Run in PlaygroundOutput
count_errors
72
This query counts the number of HTTP requests with a 500 status, helping you identify how many server errors occurred.
  • count: Counts all records in a dataset without applying a condition. Use this when you need the total count of records, regardless of any specific condition.
  • sumif: Adds up the values of a field for records that meet a specific condition. Use sumif when you want to sum values based on a filter.
  • dcountif: Counts distinct values of a field for records that meet a condition. This is helpful when you need to count unique occurrences.
  • avgif: Calculates the average value of a field for records that match a condition, useful for performance monitoring.
  • maxif: Returns the maximum value of a field for records that meet a condition. Use this when you want to find the highest value in filtered data.