approx_quantiles - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language approx_quantiles approximate aggregate comp function.

Syntax
comp approx_quantiles(<field>, <number>, <true|false>) [as <alias>] [by <field1>[,<field2>...]][addrawdata = true|false [as <target field>]]
Description

The approx_quantiles approximate aggregate is a comp function returns the approximate boundaries as a single value for a group of distinct or non-distinct values (default false) for the specified field over a group of rows, for all records that contain matching values for the fields identified in the by clause. This function returns an array of <number> + 1 elements, where the first element is the approximate minimum and the last element is the approximate maximum. Use this approximate aggregate function to produce approximate results, instead of exact results used with regular aggregate functions, which are more scalable in terms of memory usage and time. This approximate aggregate function is used in combination with a comp stage.

In addition, you can configure whether the raw data events are displayed by setting addrawdata to either true or false (default), which are used to configure the final comp results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.

Examples
Distinct Values Example

Returns the approximate boundaries for a group of distinct values in the event_id field.

dataset = xdr_data
| fields event_id
| comp approx_quantiles(event_id, 100, true)
Non-Distinct Values Example

Returns the approximate boundaries for a group of non-distinct values in the event_id field.

dataset = xdr_data
| fields event_id
| comp approx_quantiles(event_id, 100)