Determine a Score Based on Field Value
Query
percentile(filesize, percentiles=[40,80],as=score)
| symbol := if(filesize > score_80, then=":+1:", else=if(filesize > score_40, then="so-so", else=":-1:"))
Introduction
When summarizing and displaying data, it may be necessary to
derive a score or validity based on a test value. This can be
achieved using if()
by creating the score
value if the underlying field is over a threshold value.
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{Conditional} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
percentile(filesize, percentiles=[40,80],as=score)
Calculates the
percentile()
for the filesize field and determines what filesize that is above 40%% of the overall event set, and 80%% of the overall event set. - flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0{{Aggregate}} 1{Conditional} result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
| symbol := if(filesize > score_80, then=":+1:", else=if(filesize > score_40, then="so-so", else=":-1:"))
Compares whether the filesize is greater than 80%% of the events, setting symbol to
:+1:
. Becauseif()
functions can be embedded, theelse
parameter is anotherif()
statement that sets symbol toso-so
if the size is greater than 40%%, or:+1:
otherwise. Event Result set.