The stdevif aggregation function in APL computes the standard deviation of values in a group based on a specified condition. This is useful when you want to calculate variability in data, but only for rows that meet a particular condition. For example, you can use stdevif to find the standard deviation of response times in an HTTP log, but only for requests that resulted in a 200 status code.
The stdevif function is useful when you want to analyze the spread of data values filtered by specific criteria, such as analyzing request durations in successful transactions or monitoring trace durations of specific services in OpenTelemetry data.
For users of other query languages
If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.
In Splunk SPL, the stdev function is used to calculate the standard deviation, but you need to use an if function or a where clause to filter data. APL simplifies this by combining both operations in stdevif.
['sample-http-logs']
| summarize stdevif(req_duration_ms, status == "200") by geo.countryIn ANSI SQL, the STDDEV function is used to compute the standard deviation, but it requires the use of a CASE WHEN expression to apply a conditional filter. APL integrates the condition directly into the stdevif function.
['sample-http-logs']
| summarize stdevif(req_duration_ms, status == "200") by geo.countryUsage
Syntax
summarize stdevif(column, condition)Parameters
- column: The column that contains the numeric values for which you want to calculate the standard deviation.
- condition: The condition that must be true for the values to be included in the standard deviation calculation.
Returns
The stdevif function returns a floating-point number representing the standard deviation of the specified column for the rows that satisfy the condition.
Use case examples
In this example, you calculate the standard deviation of request durations (req_duration_ms), but only for successful HTTP requests (status code 200).
Query
['sample-http-logs']
| summarize stdevif(req_duration_ms, status == '200') by ['geo.country']Output
| geo.country | stdev_req_duration_ms |
|---|---|
| US | 120.45 |
| Canada | 98.77 |
| Germany | 134.92 |
This query calculates the standard deviation of request durations for HTTP 200 responses, grouped by country.
In this example, you calculate the standard deviation of span durations, but only for traces from the frontend service.
Query
['otel-demo-traces']
| summarize stdevif(duration, ['service.name'] == "frontend") by kindOutput
| kind | stdev_duration |
|---|---|
| server | 45.78 |
| client | 23.54 |
This query computes the standard deviation of span durations for the frontend service, grouped by span type (kind).
In this example, you calculate the standard deviation of request durations for security events from specific HTTP methods, filtered by POST requests.
Query
['sample-http-logs']
| summarize stdevif(req_duration_ms, method == "POST") by ['geo.city']Output
| geo.city | stdev_req_duration_ms |
|---|---|
| New York | 150.12 |
| Berlin | 130.33 |
This query calculates the standard deviation of request durations for POST HTTP requests, grouped by the originating city.
List of related aggregations
- avgif: Similar to
stdevif, but instead of calculating the standard deviation,avgifcomputes the average of values that meet the condition. - sumif: Computes the sum of values that meet the condition. Use
sumifwhen you want to aggregate total values instead of analyzing data spread. - varianceif: Returns the variance of values that meet the condition, which is a measure of how spread out the data points are.
- countif: Counts the number of rows that satisfy the specified condition.
- minif: Retrieves the minimum value that satisfies the given condition, useful when finding the smallest value in filtered data.