Stay organized with collections
Save and categorize content based on your preferences.
sum
sum(numericExpression)
Description
The sum function returns the sum of values within a numeric column. It ignores
NULL values during the calculation. It is often used with match
to calculate the sums within different groups in the data.
Param data types
NUMBER
Return type
NUMBER
Code Samples
Example
Find all the events where target.ip is not empty. For all the events that
match on principal.ip, store a sum of network.sent_bytes in a variable
called sent_bytes.
target.ip != ""
match:
principal.ip
outcome:
$sent_bytes = sum(network.sent_bytes)
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-14 UTC."],[[["\u003cp\u003eThe \u003ccode\u003esum\u003c/code\u003e function calculates the total of numeric values in a column.\u003c/p\u003e\n"],["\u003cp\u003e\u003ccode\u003eNULL\u003c/code\u003e values are excluded from the sum calculation.\u003c/p\u003e\n"],["\u003cp\u003eIt is often used with \u003ccode\u003ematch\u003c/code\u003e to calculate sums for groups in the data.\u003c/p\u003e\n"],["\u003cp\u003eThe function's input data type is \u003ccode\u003eNUMBER\u003c/code\u003e, and the return type is \u003ccode\u003eNUMBER\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["### sum\n\n sum(numericExpression)\n\n#### Description\n\nThe `sum` function returns the sum of values within a numeric column. It ignores\n`NULL` values during the calculation. It is often used with `match`\nto calculate the sums within different groups in the data.\n\n#### Param data types\n\n`NUMBER`\n\n#### Return type\n\n`NUMBER`\n\n#### Code Samples\n\n##### Example\n\nFind all the events where `target.ip` is not empty. For all the events that\nmatch on `principal.ip`, store a sum of `network.sent_bytes` in a variable\ncalled `sent_bytes`. \n\n target.ip != \"\"\n match:\n principal.ip\n outcome:\n $sent_bytes = sum(network.sent_bytes)"]]
