Stay organized with collections
Save and categorize content based on your preferences.
window.mode
window.mode(values)
Description
Return the mode of the input values. In case of multiple possible mode values, only one of those values will be non-deterministically chosen as the return value.
Param data types
INT|FLOAT|STRING
Return type
STRING
Code samples
Example 1
Get mode of the values in the match window.
// This rule sets the outcome $size_mode to the most frequently occurring
// file size in the 5 minute match window.
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$size_mode = window.mode($e.file.size) // yields 1.6 if the event file size values in the match window are 1.6, 2, and 1.6
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-14 UTC."],[[["\u003cp\u003e\u003ccode\u003ewindow.mode\u003c/code\u003e calculates the most frequently occurring value (mode) from a set of input values.\u003c/p\u003e\n"],["\u003cp\u003eThe function accepts integer, float, or string data types as input values.\u003c/p\u003e\n"],["\u003cp\u003eIf there are multiple modes, one of them will be randomly selected as the output.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ewindow.mode\u003c/code\u003e function can be utilized within a rule's outcome to find the mode of a particular field over a defined time window, as demonstrated by finding \u003ccode\u003e$size_mode\u003c/code\u003e over a 5-minute window.\u003c/p\u003e\n"]]],[],null,["### window.mode\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) \n\n window.mode(values)\n\n#### Description\n\nReturn the mode of the input values. In case of multiple possible mode values, only one of those values will be non-deterministically chosen as the return value.\n\n#### Param data types\n\n`INT|FLOAT|STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\n##### Example 1\n\nGet mode of the values in the match window. \n\n // This rule sets the outcome $size_mode to the most frequently occurring\n // file size in the 5 minute match window.\n events:\n $e.user.userid = $userid\n match:\n $userid over 5m\n outcome:\n $size_mode = window.mode($e.file.size) // yields 1.6 if the event file size values in the match window are 1.6, 2, and 1.6"]]
