approx_quantiles

Cortex XDR XQL comp approx_quantiles approximate aggregate returns the average value of an integer field in the result set.

Synopsis

comp approx_quantiles(<
field
>, <
number
>, <
true|false
>) [as <alias>] [by <
field1
>[,<
field2
>...]][addrawdata = true|false as <target field>]

Description

The
approx_quantiles
approximate aggregate is a comp function returns the approximate boundaries for a group of distinct or non-distinct values (default false) for the specified field, for all records that contain matching values for the fields identified in the
by
clause. This function returns an array of <
number
> + 1 elements, where the first element is the approximate minimum and the last element is the approximate maximum. Use this approximate aggregate function to produce approximate results, instead of exact results used with regular aggregate functions, which are more scalable in terms of memory usage and time.
In addition, you can configure whether the raw data events are displayed by setting
addrawdata
to either
true
or
false
(default), which are used to configure the final
comp
results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.

Examples

Distinct Values Example
Returns the approximate boundaries for a group of distinct values in the
event_id
field.
dataset = xdr_data | fields event_id | comp approx_quantiles(event_id, 100, true)
Non-Distinct Values Example
Returns the approximate boundaries for a group of non-distinct values in the
event_id
field.
dataset = xdr_data | fields event_id | comp approx_quantiles(event_id, 100)

Recommended For You