使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
window.mode
window.mode(values)
说明
返回输入值的众数。如果存在多个可能的众数值,则只会以不确定的方式选择其中一个值作为返回值。
形参数据类型
INT|FLOAT|STRING
返回类型
STRING
代码示例
示例 1
获取匹配窗口中值的众数。
// This rule sets the outcome $size_mode to the most frequently occurring
// file size in the 5 minute match window.
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$size_mode = window.mode($e.file.size) // yields 1.6 if the event file size values in the match window are 1.6, 2, and 1.6
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-29。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-07-29。"],[[["\u003cp\u003e\u003ccode\u003ewindow.mode\u003c/code\u003e calculates the most frequently occurring value (mode) from a set of input values.\u003c/p\u003e\n"],["\u003cp\u003eThe function accepts integer, float, or string data types as input values.\u003c/p\u003e\n"],["\u003cp\u003eIf there are multiple modes, one of them will be randomly selected as the output.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003ewindow.mode\u003c/code\u003e function can be utilized within a rule's outcome to find the mode of a particular field over a defined time window, as demonstrated by finding \u003ccode\u003e$size_mode\u003c/code\u003e over a 5-minute window.\u003c/p\u003e\n"]]],[],null,["### window.mode\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) \n\n window.mode(values)\n\n#### Description\n\nReturn the mode of the input values. In case of multiple possible mode values, only one of those values will be non-deterministically chosen as the return value.\n\n#### Param data types\n\n`INT|FLOAT|STRING`\n\n#### Return type\n\n`STRING`\n\n#### Code samples\n\n##### Example 1\n\nGet mode of the values in the match window. \n\n // This rule sets the outcome $size_mode to the most frequently occurring\n // file size in the 5 minute match window.\n events:\n $e.user.userid = $userid\n match:\n $userid over 5m\n outcome:\n $size_mode = window.mode($e.file.size) // yields 1.6 if the event file size values in the match window are 1.6, 2, and 1.6"]]
