This page explains how to use the maxif aggregation function in APL.
maxif
aggregation function in APL is useful when you want to return the maximum value from a dataset based on a conditional expression. This allows you to filter the dataset dynamically and only return the maximum for rows that satisfy the given condition. It’s particularly helpful for scenarios where you want to find the highest value of a specific metric, like response time or duration, but only for a subset of the data (e.g., successful responses, specific users, or requests from a particular geographic location).
You can use the maxif
function when analyzing logs, monitoring system traces, or inspecting security-related data to get insights into the maximum value under certain conditions.
Splunk SPL users
stats max()
function alongside a conditional filtering step to achieve a similar result. APL’s maxif
function combines both operations into one, streamlining the query.ANSI SQL users
MAX
function in conjunction with a WHERE
clause. APL’s maxif
allows you to perform the same operation with a single aggregation function.column
: The column containing the values to aggregate.condition
: The condition that must be true for the values to be considered in the aggregation.column
for rows that meet the condition
. If no rows match the condition, it returns null
.
max_req_duration |
---|
1250 |
req_duration_ms
) for HTTP requests with a 200
status.minif
when you’re interested in the lowest value under specific conditions.max
when you want the highest value across the entire dataset without conditions.sumif
when you want the total value of a column under specific conditions.avgif
when you want to calculate the mean value based on a filter.countif
when you want to count occurrences that meet certain criteria.