使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
stddev
stddev(numericExpression)
说明
stddev 函数会返回所有可能值的标准差。
参数数据类型
NUMBER
返回类型
NUMBER
代码示例
示例
查找 target.ip 不为空的所有事件。对于与 principal.ip 匹配的所有事件,将 metadata.event_timestamp.seconds 的标准差存储在名为 stddev_seconds 的变量中。
target.ip != ""
match:
principal.ip
outcome:
$stddev_seconds = stddev(metadata.event_timestamp.seconds)
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-29。
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-07-29。"],[[["\u003cp\u003eThe \u003ccode\u003estddev\u003c/code\u003e function calculates the standard deviation across a set of numeric values.\u003c/p\u003e\n"],["\u003cp\u003eIt accepts a \u003ccode\u003eNUMBER\u003c/code\u003e data type as input, represented by the \u003ccode\u003enumericExpression\u003c/code\u003e parameter.\u003c/p\u003e\n"],["\u003cp\u003eThe function's output is a \u003ccode\u003eNUMBER\u003c/code\u003e representing the calculated standard deviation.\u003c/p\u003e\n"],["\u003cp\u003eAn example use case includes calculating the standard deviation of \u003ccode\u003emetadata.event_timestamp.seconds\u003c/code\u003e for events matching \u003ccode\u003eprincipal.ip\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["### stddev\n\n stddev(numericExpression)\n\n#### Description\n\nThe `stddev` function returns the standard deviation over all the possible\nvalues.\n\n#### Param data types\n\n`NUMBER`\n\n#### Return type\n\n`NUMBER`\n\n#### Code Samples\n\n##### Example\n\nFind all the events where `target.ip` is not empty. For all the events that\nmatch on `principal.ip`, store the standard deviation of\n`metadata.event_timestamp.seconds` in a variable called `stddev_seconds`. \n\n target.ip != \"\"\n match:\n principal.ip\n outcome:\n $stddev_seconds = stddev(metadata.event_timestamp.seconds)"]]
