window.median
支援的國家/地區:
window.median(numeric_values, should_ignore_zero_values)
說明
傳回輸入值的中位數。如有 2 個中位數,系統會隨機選擇 1 個做為傳回值。
參數資料類型
INT|FLOAT、BOOL
傳回類型
FLOAT
程式碼範例
範例 1
這個範例會在輸入值不為零時傳回中位數。
rule median_file_size {
meta:
events:
$e.metadata.event_type = "FILE_COPY"
$userid = $e.principal.user.userid
match:
$userid over 1h
outcome:
$median_file_size = window.median($e.principal.file.size) // returns 2 if the file sizes in the match window are [1, 2, 3]
condition:
$e
}
範例 2
如果輸入內容包含不應忽略的零值,這個範例會傳回中位數。
rule median_file_size {
meta:
events:
$e.metadata.event_type = "FILE_COPY"
$userid = $e.principal.user.userid
match:
$userid over 1h
outcome:
$median_file_size = window.median($e.principal.file.size) // returns 1 if the file sizes in the match window are [0,0, 1, 2, 3]
condition:
$e
}
範例 3
這個範例會在輸入內容包含應忽略的零值時,傳回中位數。
rule median_file_size {
meta:
events:
$e.metadata.event_type = "FILE_COPY"
$userid = $e.principal.user.userid
match:
$userid over 1h
outcome:
$median_file_size = window.median($e.principal.file.size, true) // returns 2 if the file sizes in the match window are [0,0, 1, 2, 3]
condition:
$e
}
範例 4
如果輸入內容包含應忽略的所有零值,這個範例會傳回中位數。
rule median_file_size {
meta:
events:
$e.metadata.event_type = "FILE_COPY"
$userid = $e.principal.user.userid
match:
$userid over 1h
outcome:
$median_file_size = window.median($e.principal.file.size) // returns 0 if the file sizes in the match window are [0,0]
condition:
$e
}
範例 5
這個範例顯示,如果有多個中位數,系統只會傳回一個中位數。
rule median_file_size {
meta:
events:
$e.metadata.event_type = "FILE_COPY"
$userid = $e.principal.user.userid
match:
$userid over 1h
outcome:
$median_file_size = window.median($e.principal.file.size) // returns 1 if the file sizes in the match window are [1, 2, 3, 4]
condition:
$e
}