Learn more about the Cortex Query Language stddev_sample()
function used with both comp
and windowcomp
stages.
Syntax
comp stddev_sample(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata = true|false [as <target field>]]
windowcomp stddev_sample(<field>) [by <field> [,<field>,...]] [sort [asc|desc] <field1> [, [asc|desc] <field2>,...]] [between 0|null|<number>|-<number> [and 0|null|<number>|-<number>] [frame_type=range]] [as <alias>]
Description
The stddev_sample()
function is used to return a single sample (unbiased) standard deviation value of a field for a group of rows. The function syntax and application is based on the preceding stage:
When the stddev_sample
aggregation function is used with a comp stage, the function returns a single sample (unbiased) standard deviation value of a field over a group of rows, for all records that contain matching values for the fields identified in the by
clause.
In addition, you can configure whether the raw data events are displayed by setting addrawdata
to either true
or false
(default), which are used to configure the final comp
results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.
When the stddev_sample
statistical aggregate function is used with a windowcomp stage, the function returns a single sample (unbiased) standard deviation value of a field for each row in the group of rows, for all records that contain matching values for the fields identified using a combination of the by
clause, sort
, and between
window frame clause. The results are provided in a new column in the results table.
Examples
Calculate a maximum of 100 metrics_source
records, where the _broker_device_ip
is 172.16.1.25
, and include a single sample (unbiased) standard deviation value of the total_size_bytes
field for a group of rows.
dataset = metrics_source | filter _broker_device_ip = "172.16.1.25" | comp stddev_sample(total_size_bytes) | limit 100
Return a maximum of 100 metrics_source
records and include a single sample (unbiased) standard deviation value of the total_size_rate
field for each row in the group of rows, for all records that contain matching values in the _broker_device_id
field. The results are provided in the stddev_sample
column.
dataset = metrics_source | limit 100 | windowcomp stddev_sample(total_size_rate) by _broker_device_id as `stddev_sample`