stddev_population - Learn more about the Cortex Query Language stddev_population() function used with both comp and windowcomp stages. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

comp stddev_population(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata = true|false [as <target field>]]

windowcomp stddev_population(<field>) [by <field> [,<field>,...]] [sort [asc|desc] <field1> [, [asc|desc] <field2>,...]] [between 0|null|<number>|-<number> [and 0|null|<number>|-<number>] [frame_type=range]] [as <alias>] 

When the stddev_population aggregation function is used with a comp stage, the function returns a single population (biased) variance value of a field over a group of rows, for all records that contain matching values for the fields identified in the by clause.

In addition, you can configure whether the raw data events are displayed by setting addrawdata to either true or false (default), which are used to configure the final comp results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.

When the stddev_population statistical aggregate function is used with a windowcomp stage, the function returns a single population (biased) variance value of a field for each row in the group of rows, for all records that contain matching values for the fields identified using a combination of the by clause, sort, and between window frame clause. The results are provided in a new column in the results table.