axiomhq
diff --git a/‎apl/aggregation-function/percentiles-array.mdx
+162 b/‎apl/aggregation-function/percentiles-array.mdx
+162
diff --git a/‎apl/aggregation-function/percentiles-arrayif.mdx
+156 b/‎apl/aggregation-function/percentiles-arrayif.mdx
+156
diff --git a/‎apl/aggregation-function/statistical-functions.mdx
+4-2 b/‎apl/aggregation-function/statistical-functions.mdx
+4-2
@@ -0,0 +1,162 @@
+---
+title: percentiles_array
+description: 'This page explains how to use the percentiles_array function in APL.'
+---
+
+Use the `percentiles_array` aggregation function in APL to calculate multiple percentile values over a numeric expression in one pass. This function is useful when you want to understand the distribution of numeric data points, such as response times or durations, by summarizing them at several key percentiles like the 25th, 50th, and 95th.
+
+You can use `percentiles_array` to:
+
+- Analyze latency or duration metrics across requests or operations.
+- Identify performance outliers.
+- Visualize percentile distributions in dashboards.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+In Splunk, you typically calculate percentiles one at a time using the `perc` function. To get multiple percentiles, you repeat the function with different percentile values. In APL, `percentiles_array` lets you specify multiple percentiles in a single function call and returns them as an array.
+
+<CodeGroup>
+```sql Splunk example
+... | stats perc95(duration), perc50(duration), perc25(duration) by service
+```
+
+```kusto APL equivalent
+['otel-demo-traces']
+| summarize percentiles_array(duration, 25, 50, 95) by ['service.name']
+```
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+Standard SQL typically lacks a built-in function to calculate multiple percentiles in a single operation. Instead, you use `PERCENTILE_CONT` or `PERCENTILE_DISC` with `WITHIN GROUP`, repeated for each desired percentile. In APL, `percentiles_array` simplifies this with a single function call that returns all requested percentiles as an array.
+
+<CodeGroup>
+```sql SQL example
+SELECT
+  service,
+  PERCENTILE_CONT(0.25) WITHIN GROUP (ORDER BY duration) AS p25,
+  PERCENTILE_CONT(0.50) WITHIN GROUP (ORDER BY duration) AS p50,
+  PERCENTILE_CONT(0.95) WITHIN GROUP (ORDER BY duration) AS p95
+FROM traces
+GROUP BY service
+```
+
+```kusto APL equivalent
+['otel-demo-traces']
+| summarize percentiles_array(duration, 25, 50, 95) by ['service.name']
+```
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+## Usage
+
+### Syntax
+
+```kusto
+percentiles_array(Field, Percentile1, Percentile2, ...)
+```
+
+### Parameters
+
+- `Field` is the name of the field for which you want to compute percentile values.
+- `Percentile1`, `Percentile2`, ... are numeric percentile values between 0 and 100.
+
+### Returns
+
+An array of numbers where each element is the value at the corresponding percentile.
+
+## Use case examples
+
+<Tabs>
+<Tab title="Log analysis">
+
+Use `percentiles_array` to understand the spread of request durations per HTTP method, highlighting performance variability.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| summarize percentiles_array(req_duration_ms, 25, 50, 95) by method
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20summarize%20percentiles_array(req_duration_ms%2C%2025%2C%2050%2C%2095)%20by%20method%22%7D)
+
+**Output**
+
+| method | P25       | P50       | P95      |
+|--------|-----------|-----------|----------|
+|   GET  | 0.3981 ms | 0.7352 ms | 1.981 ms |
+|  POST  | 0.3261 ms | 0.7162 ms | 2.341 ms |
+|   PUT  | 0.3324 ms | 0.7772 ms | 1.341 ms |
+| DELETE | 0.2332 ms | 0.4652 ms | 1.121 ms |
+
+This query calculates the 25th, 50th, and 95th percentiles of request durations for each HTTP method. It helps identify performance differences between different methods.
+
+</Tab>
+<Tab title="OpenTelemetry traces">
+
+Use `percentiles_array` to analyze the distribution of span durations by service to detect potential bottlenecks.
+
+**Query**
+
+```kusto
+['otel-demo-traces']
+| summarize percentiles_array(duration, 50, 90, 99) by ['service.name']
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'otel-demo-traces'%5D%20%7C%20summarize%20percentiles_array(duration%2C%2050%2C%2090%2C%2099)%20by%20%5B'service.name'%5D%22%7D)
+
+**Output**
+
+| service.name          | P50      | P90       | P99       | P99       |
+|-----------------------|----------|-----------|-----------|-----------|
+| recommendationservice |  1.96 ms |  2.965 ms |  3.477 ms |  3.477 ms |
+|     frontendproxy     | 3.767 ms | 13.101 ms | 39.735 ms | 39.735 ms |
+|    shippingservice    | 2.119 ms |  3.085 ms |  9.739 ms |  9.739 ms |
+|    checkoutservice    | 1.454 ms | 12.342 ms | 29.542 ms | 29.542 ms |
+
+This query shows latency patterns across services by computing the median, 90th, and 99th percentile of span durations.
+
+</Tab>
+<Tab title="Security logs">
+
+Use `percentiles_array` to assess outlier response times per status code, which can reveal abnormal activity or service issues.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| summarize percentiles_array(req_duration_ms, 50, 95, 99) by status
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20summarize%20percentiles_array(req_duration_ms%2C%2050%2C%2095%2C%2099)%20by%20status%22%7D)
+
+**Output**
+
+| status | P50       | P95      | P99      |
+|--------|-----------|----------|----------|
+|   200  | 0.7352 ms | 1.981 ms | 2.612 ms |
+|   201  | 0.7856 ms | 1.356 ms | 2.234 ms |
+|   301  | 0.8956 ms | 1.547 ms | 2.546 ms |
+|   500  | 0.6587 ms | 1.856 ms | 2.856 ms |
+
+This query helps identify whether requests resulting in errors (like 500) are significantly slower than successful ones.
+
+</Tab>
+</Tabs>
+
+## List of related functions
+
+- [avg](/apl/aggregation-function/avg): Returns the average value. Use it when a single central tendency is sufficient.
+- [percentile](/apl/aggregation-function/percentile): Returns a single percentile value. Use it when you only need one percentile.
+- [percentile_if](/apl/aggregation-function/percentileif): Returns a single percentile value for the records that satisfy a condition.
+- [percentiles_arrayif](/apl/aggregation-function/percentiles-arrayif): Returns an array of percentile values for the records that satisfy a condition.
+- [sum](/apl/aggregation-function/sum): Returns the sum of a numeric column.
@@ -0,0 +1,156 @@
+---
+title: percentiles_arrayif
+description: 'This page explains how to use the percentiles_array function in APL.'
+---
+
+Use `percentiles_arrayif` to calculate approximate percentile values for a numeric expression when a certain condition evaluates to true. This function is useful when you want an array of percentiles instead of a single percentile. You can use it to understand data distributions in scenarios such as request durations, event processing times, or security alert severities, while filtering on specific criteria.
+
+## For users of other query languages
+
+If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
+
+<AccordionGroup>
+<Accordion title="Splunk SPL users">
+
+In Splunk SPL, you often use statistical functions such as `perc<percent>` or `percN()` to compute percentile estimates. In APL, you use `percentiles_arrayif` and provide a predicate to define which records to include in the computation.
+
+<CodeGroup>
+```sql Splunk example
+index=main sourcetype=access_combined
+| stats perc90(req_duration_ms) AS p90, perc99(req_duration_ms) AS p99
+```
+
+```kusto APL equivalent
+['sample-http-logs']
+| summarize Dist=percentiles_arrayif(req_duration_ms, dynamic([90, 99]), status == '200')
+```
+</CodeGroup>
+
+</Accordion>
+<Accordion title="ANSI SQL users">
+
+In ANSI SQL, you often use window functions like `PERCENTILE_DISC` or `PERCENTILE_CONT` or write multiple `CASE` expressions for conditional aggregation. In APL, you can achieve similar functionality with `percentiles_arrayif` by passing the numeric field and condition to the function.
+
+<CodeGroup>
+```sql SQL example
+SELECT
+  PERCENTILE_DISC(0.90) WITHIN GROUP (ORDER BY req_duration_ms) AS p90,
+  PERCENTILE_DISC(0.99) WITHIN GROUP (ORDER BY req_duration_ms) AS p99
+FROM sample_http_logs
+WHERE status = '200';
+```
+
+```kusto APL equivalent
+['sample-http-logs']
+| summarize Dist=percentiles_arrayif(req_duration_ms, dynamic([90, 99]), status == '200')
+```
+</CodeGroup>
+
+</Accordion>
+</AccordionGroup>
+
+# Usage
+
+## Syntax
+
+```kusto
+percentiles_arrayif(Field, Array, Condition)
+```
+
+## Parameters
+
+- `Field` is the name of the field for which you want to compute percentile values.
+- `Array` is a dynamic array of one or more numeric percentile values (between 0 and 100).
+- `Condition` is a Boolean expression that indicates which records to include in the calculation.
+
+## Returns
+
+The function returns an array of percentile values for the records that satisfy the condition. The position of each returned percentile in the array matches the order in which it appears in the function call.
+
+## Use case examples
+
+<Tabs>
+<Tab title="Log analysis">
+
+You can use `percentiles_arrayif` to analyze request durations in HTTP logs while filtering for specific criteria, such as certain HTTP statuses or geographic locations.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| summarize percentiles_arrayif(req_duration_ms, dynamic([50, 90, 95, 99]), status == '200') by bin_auto(_time)
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20summarize%20percentiles_arrayif(req_duration_ms%2C%20dynamic(%5B50%2C%2090%2C%2095%2C%2099%5D)%2C%20status%20%3D%3D%20'200')%20by%20bin_auto(_time)%22%7D)
+
+**Output**
+
+| percentiles_req_duration_ms  |
+|--------------------------|
+| 0.7352 ms     |
+| 1.691 ms     |
+| 1.981 ms     |
+| 2.612 ms     |
+
+
+This query filters records to those with a status of 200 and returns the percentile values for the request durations.
+
+</Tab>
+<Tab title="OpenTelemetry traces">
+
+Use `percentiles_arrayif` to track performance of spans and filter on a specific service operation. This lets you quickly gauge how request durations differ for incoming traffic.
+
+**Query**
+
+```kusto
+['otel-demo-traces']
+| summarize percentiles_arrayif(duration, dynamic([50, 90, 99, 99]), ['method'] == "POST") by bin_auto(_time)
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'otel-demo-traces'%5D%20%7C%20summarize%20percentiles_arrayif(duration%2C%20dynamic(%5B50%2C%2090%2C%2099%2C%2099%5D)%2C%20%5B'method'%5D%20%3D%3D%20'POST')%20by%20bin_auto(_time)%22%7D)
+
+**Output**
+
+| percentiles_duration           |
+|---------------------------|
+| 5.166 ms |
+| 25.18 ms |
+| 71.996 ms |
+
+This query returns the percentile values for span durations for requests with the POST method.
+
+</Tab>
+<Tab title="Security logs">
+
+You can focus on server issues by filtering for specific status codes, then see how request durations are distributed in those scenarios.
+
+**Query**
+
+```kusto
+['sample-http-logs']
+| summarize percentiles_arrayif(req_duration_ms, dynamic([50, 90, 95, 99]), status startswith '5') by bin_auto(_time)
+```
+
+[Run in Playground](https://play.axiom.co/axiom-play-qf1k/query?initForm=%7B%22apl%22%3A%22%5B'sample-http-logs'%5D%20%7C%20summarize%20percentiles_arrayif(req_duration_ms%2C%20dynamic(%5B50%2C%2090%2C%2095%2C%2099%5D)%2C%20status%20startswith%20'5')%20by%20bin_auto(_time)%22%7D)
+
+**Output**
+
+| percentiles_req_duration_ms |
+|---------------------------|
+| 0.7352 ms |
+| 1.691 ms |
+| 1.981 ms |
+| 2.612 ms |
+
+This query calculates percentile values for request durations that return a status code starting with 5 which means server error.
+
+</Tab>
+</Tabs>
+
+## List of related functions
+
+- [avg](/apl/aggregation-function/avg): Returns the average of a numeric column.
+- [percentile](/apl/aggregation-function/percentile): Returns a single percentile value.
+- [percentile_if](/apl/aggregation-function/percentileif): Returns a single percentile value for the records that satisfy a condition.
+- [percentiles_array](/apl/aggregation-function/percentiles-array): Returns an array of percentile values for all rows.
+- [sum](/apl/aggregation-function/sum): Returns the sum of a numeric column.
@@ -28,10 +28,12 @@ The table summarizes the aggregation functions available in APL. Use all these a
 | [min](/apl/aggregation-function/min)                                        | Returns the minimum value across the group.                                                                       |
 | [minif](/apl/aggregation-function/minif)                                    | Returns the minimum of an expression in records for which the predicate evaluates to true.                                   |
 | [percentile](/apl/aggregation-function/percentile)                          | Calculates the requested percentiles of the group and produces a timeseries chart.                                |
-| [percentileif](/apl/aggregation-function/percentileif)                          | Calculates the requested percentiles of the field for the rows where the predicate evaluates to true.                                |
+| [percentileif](/apl/aggregation-function/percentileif)                      | Calculates the requested percentiles of the field for the rows where the predicate evaluates to true.                                |
+| [percentiles_array](/apl/aggregation-function/percentiles-array)            | Returns an array of numbers where each element is the value at the corresponding percentile. |
+| [percentiles_arrayif](/apl/aggregation-function/percentiles-arrayif)        | Returns an array of percentile values for the records that satisfy the condition. |
 | [rate](/apl/aggregation-function/rate)                                      | Calculates the rate of values in a group per second.                                  |
 | [stdev](/apl/aggregation-function/stdev)                                    | Calculates the standard deviation of an expression across the group.                                                       |
-| [stdevif](/apl/aggregation-function/stdevif)                                  | Calculates the standard deviation of an expression in records for which the predicate evaluates to true.                     |
+| [stdevif](/apl/aggregation-function/stdevif)                                | Calculates the standard deviation of an expression in records for which the predicate evaluates to true.                     |
 | [sum](/apl/aggregation-function/sum)                                        | Calculates the sum of an expression across the group.                                                                      |
 | [sumif](/apl/aggregation-function/sumif)                                    | Calculates the sum of an expression in records for which the predicate evaluates to true.                                    |
 | [topk](/apl/aggregation-function/topk)                                      | calculates the top values of an expression across the group in a dataset.                                                   |