This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Aggregate functions in metrics

Posted on 05-01-2024 08:51 PM
mountaincode2
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

I am reaching out in relation to the following metrics post:

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Using-Metrics-in-YARA-L-...

I am a little confused here. In all the 4 parts in this series, why is the aggregate function `max` used.

For example, why is the `max` aggregate function used here instead of `min`:

 $min_byte_count_window = max(metrics.network_bytes_outbound(
       period:1d, window:30d,
       metric:value_sum,
       agg:min,
       principal.asset.ip: $ip
   ))
Solved Solved
0 5 740
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

One more thing, having gone back and looked at a few other examples in the other blogs in this series, the metrics that do not require the aggregation function prepended are the ones that contain metric: value_sum and do not contain an additional filter calculated within the metric. That isn't an exhaustive set of tests but hopefully some additional guidance that will help as you build rules using metrics.

View solution in original post

Jump to Solution
5 REPLIES 5
Top Solution Authors
View all