approx_top

Cortex XDR XQL comp approx_top approximate aggregate can return either an approximate sum or count of top elements for the given field.

Synopsis

comp approx_top as count
comp approx_top(<
string field
>, <
number
>) [as <alias>] [by <
field1
>[,<
field2
>...]][addrawdata = true|false as <target field>]
comp approx_top as sum
comp approx_top(<
string field
>, <
number
>, <
weight string field
>) [as <alias>] [by <
field1
>[,<
field2
>...]][addrawdata = true|false as <target field>]

Description

The
approx_top
approximate aggregate is a comp function that, depending on the number of parameters, returns either an approximate count or sum of top elements for the given field, for all records that contain matching values for the fields identified in the
by
clause. When a third parameter is specified, it references a field that contains a numeric value (weight) that is used to calculate a sum. The return value is an array with up to <
number
> of JSON strings. Each string represents an object (struct) containing 2 keys and corresponding values. The keys depend on whether a third parameter has been supplied or not.
When defining
approx_top
to count and the third parameter is omitted, each struct will have these keys: "value" and "count", where the "value" specifies a unique field value and count specifies the number of occurrences. When the third parameter is specified in
approx_top
, it has to be a name of a field that contains a numeric value that is used to calculate the final sum for each unique value in the first specified field. Each struct in this case will have these keys: "value" and "sum".
In addition, you can configure whether the raw data events are displayed by setting
addrawdata
to either
true
or
false
(default), which are used to configure the final
comp
results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.
Use this approximate aggregate function to produce approximate results, instead of exact results used with regular aggregate functions, which are more scalable in terms of memory usage and time.

Examples

comp approx_top as count
`
Returns an approximate count of the top 10 agent IDs in the
agent_id
field that appear the most frequently. The return value is an array containing 10 JSON strings with a "value" and "count".
dataset = xdr_data | fields agent_id | comp approx_top(agent_id, 10)
comp approx_top as sum
Returns an approximate sum of the top 10 agent IDs in the
agent_id
field by their
action_session_duration
. The return value is an array containing 10 JSON strings with a "value" and "sum" for each
agent_id
.
dataset = xdr_data | fields agent_id, action_session_duration | comp approx_top(agent_id, 10, action_session_duration)

Recommended For You