Skip to main content
The sumif aggregation function in Axiom Processing Language (APL) computes the sum of a numeric expression for records that meet a specified condition. This function is useful when you want to filter data based on specific criteria and aggregate the numeric values that match the condition. Use sumif when you need to apply conditional logic to sums, such as calculating the total request duration for successful HTTP requests or summing the span durations in OpenTelemetry traces for a specific service.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the sumif equivalent functionality requires using a stats command with a where clause to filter the data. In APL, you can use sumif to simplify this operation by combining both the condition and the summing logic into one function.
| stats sum(duration) as total_duration where status="200"
In ANSI SQL, achieving a similar result typically involves using a CASE statement inside the SUM function to conditionally sum values based on a specified condition. In APL, sumif provides a more concise approach by allowing you to filter and sum in a single function.
SELECT SUM(CASE WHEN status = '200' THEN duration ELSE 0 END) AS total_duration
FROM http_logs

Usage

Syntax

sumif(numeric_expression, condition)

Parameters

  • numeric_expression: The numeric field or expression you want to sum.
  • condition: A boolean expression that determines which records contribute to the sum. Only the records that satisfy the condition are considered.

Returns

sumif returns the sum of the values in numeric_expression for records where the condition is true. If no records meet the condition, the result is 0.

Use case examples

  • Log analysis
  • OpenTelemetry traces
  • Security logs
In this use case, we calculate the total request duration for HTTP requests that returned a 200 status code.Query
['sample-http-logs']
| summarize total_req_duration = sumif(req_duration_ms, status == '200')
Run in PlaygroundOutput
total_req_duration
145000
This query computes the total request duration (in milliseconds) for all successful HTTP requests (those with a status code of 200).
  • avgif: Computes the average of a numeric expression for records that meet a specified condition. Use avgif when you’re interested in the average value, not the total sum.
  • countif: Counts the number of records that satisfy a condition. Use countif when you need to know how many records match a specific criterion.
  • minif: Returns the minimum value of a numeric expression for records that meet a condition. Useful when you need the smallest value under certain criteria.
  • maxif: Returns the maximum value of a numeric expression for records that meet a condition. Use maxif to identify the highest values under certain conditions.