Aggregation Functions

Expressions used in the Having clause must contain at least one aggregation function. The (*) option applies the function to any event with no additional constraints. The All option applies the function to all values that are not null. The Distinct option applies the function only once per distinct values. 
Count ( * )
Count ( [ Distinct | All ] <expression> Limit <integer> )
Sum ( [ Distinct | All ] <expression> Limit <integer> )
Avg ( [ Distinct | All ] <expression> Limit <integer> )
Max ( [ Distinct | All ] <expression> Limit <integer> )
Min ( [ Distinct | All ] <expression> Limit <integer> )
Var ( [ Distinct | All ] <expression> Limit <integer> )
Stdev ( [ Distinct | All ] <expression> Limit <integer> )
Function Definition
Count() Count of values
Sum The total value
Avg The average value
Max The maximum value
Min The minimum value
Var The variance
Stdev The standard deviation function

Having Clause

The Having clause adds additional constraints on the events that have passed the filter and are grouped by the rule. 

At (Least | Most) <integer> 
Distinct <expression> 
As <identifier> 
Limit <integer> 
Count Of <expression> Being <expression> (Greater | Less) Than <integer> 
Percentage Of <expression> Being <expression> (Greater | Less) Than <integer> %<condition>
Note: The Having clause expression must contain at least one aggregation function.

The supported parameters are:

Parameter Description
Count Of Counts the number of time two expressions are equals and check that this value is greater or less than a boundary.
Percentage Of Counts the number of time two expressions are equals and make a ratio of this count versus the number of events in the group, then check whether the value is less or more than a value expressed as percent.

The Having clause can also be an expression using aggregation functions and resolving to a Boolean.