window.stddev
支援的國家/地區:
window.stddev(numeric_values)
說明
傳回相符視窗中輸入值的標準差。
參數資料類型
INT|FLOAT
傳回類型
FLOAT
程式碼範例
範例 1
這個範例會傳回相符視窗中整數的標準差。
// This rule creates a detection when the file size stddev in 5 minutes for a user is over a threshold.
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$p1 = window.stddev($e.file.size) // yields 4.0 if the event file size values in the match window are [10, 14, 18].
condition:
$e and #p1 > 2
範例 2
這個範例會傳回比對視窗中浮點數的標準差。
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$p1 = window.stddev($e.file.size) // yields 4.488686 if the event file size values in the match window are [10.00, 14.80, 18.97].
condition:
$e and #p1 > 2
範例 3
這個範例會傳回含有負數的相符時間範圍內的標準差。
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$p1 = window.stddev($e.file.size) // yields 48.644972 if the event file size values in the match window are [-1, -56, -98].
condition:
$e and #p1 > 2
範例 4
如果比對視窗中的所有值都相同,這個範例會傳回零標準差。
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$p1 = window.stddev($e.file.size) // yields 0.000000 if the event file size values in the match window are [1, 1, 1].
condition:
$e and #p1 > 2
範例 5
這個範例會傳回含有正數和負數的相符視窗標準差。
events:
$e.user.userid = $userid
match:
$userid over 5m
outcome:
$p1 = window.stddev($e.file.size) // yields 1.000000 if the event file size values in the match window are [1, 0, -1].
condition:
$e and #p1 > 10