Learn more about the Cortex Query Language median
function used with both comp
and windowcomp
stages.
Syntax
comp median(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata = true|false [as <target field>]]
windowcomp median(<field>) [by <field> [,<field>,...]] [as <alias>]
Description
The median()
function is used to return the median value of a field over a group of rows. The function syntax and application is based on the preceding stage:
When the median
aggregation function is used with a comp stage, the function returns a single median value of a field for a group of rows, for all records that contain matching values for the fields identified in the by
clause.
In addition, you can configure whether the raw data events are displayed by setting addrawdata
to either true
or false
(default), which are used to configure the final comp
results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.
When the median
aggregate function is used with a windowcomp stage, the function returns a single median value of a field for each row in the group of rows, for all records that contain matching values for the fields identified in the by
clause. In a median function, the sort
and between
window frame clause are not used. The results are provided in a new column in the results table.
Examples
Return a single median value of the action_total_download
field over a group of rows, for all records that have matching values for their actor_process_image_path
and actor_process_command_line
values. The query calculates a maximum of 100 xdr_data
records and includes a raw_data
column listing a single value for the results.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | limit 100 | comp median(Download) as median_download by Process_Path, Process_CMD addrawdata = true as raw_data
Return all events where the Download
field is greater than the median by reviewing each individual event and how it compares to the median. The query returns a maximum of 100 xdr_data
records in a column called median_download
.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | limit 100 | windowcomp median(Download) by Process_Path, Process_CMD as median_download | filter Download > median_download