COUNT function

The COUNT function returns the number of rows that satisfy the WHERE clause of a SELECT statement.

If the SELECT statement does not have a WHERE clause, the COUNT function returns the total number of rows in the table.

Examples of the Count function

The following query returns the count of all events with credibility that is greater than or equal to 9.

SELECT COUNT(*) FROM events WHERE credibility >= 9

The following query returns the count of assets by location and source IP address.

SELECT ASSETPROPERTY('Location',sourceip) 
AS location, COUNT(*) 
FROM events 
GROUP BY location 
LAST 1 days

The following query returns the user names, source IP addresses, and count of events.

SELECT username, sourceip, 
COUNT(*) FROM events 
GROUP BY username 
LAST 600 minutes

The sourceip column is returned as FIRST_sourceip.

One sourceip is returned only per username, even if another sourceip exists.

Note:

When you use the GROUP BY clause with a column name or AQL function, only the first value is returned for the GROUP BY column, by default, even though other values might exist.