Experimental Median Quartile Quantile

Usage Information

Median:

This chart command allows you to calculate the statistical median from the provided field.

Syntax: | chart median(fieldname) as string

For example, "| chart median(doable_mps) as Median" command calculates the median for the values of field doable_mps from event logs and assigns the calculated value to the Median field. 

Quartile:

This chart command allows you to calculate the statistical quartile from the provided field. This is helpful in understanding the normal profile for the particular field value.

Syntax: | chart quartile(fieldname) as string1, string2, string3. 

Here, string1, string2, and string3 are optional fields. The default fields are Q1, Q2, and Q3.

For example, "| chart quartile(doable_mps)" command calculates the quartile for the values of doable_mps and assigns the calculated value to the Q1, Q2, and Q3 fields. This gives three values for dividing the entire range field doable_mps into four parts. 

Quantile:

This process command performs dynamic enrichment to add a new field quantile. This new field includes values taken at regular intervals from the inverse of the cumulative distribution function (CDF) of an interesting field from event logs. This allows Security Analysts to find unique and rare logs.

Syntax: | process quantile(fieldname)

For example, "| process quantile(doable_mps)" command calculates the quantile for the values of doable_mps and assigns the calculated value to the quantile field. 

Installation

To install Experimental Median Quartile Quantile:

1. Download the .pak file provided above in Download.

2. Go to Settings >> System Settings >> Applications.

3.  Click Import.

4.  Browse to the downloaded .pak file.

5. Click Upload.