The varianceif aggregation in APL calculates the variance of values that meet a specified condition. This is useful when you want to understand the variability of a subset of data without considering all data points. For example, you can use varianceif to compute the variance of request durations for HTTP requests that resulted in a specific status code or to track anomalies in trace durations for a particular service.

You can use the varianceif aggregation when analyzing logs, telemetry data, or security events where conditions on subsets of the data are critical to your analysis.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

In Splunk, you would use the eval function to filter data and calculate variance for specific conditions. In APL, varianceif combines the filtering and aggregation into a single function, making your queries more concise.

```sql Splunk example | eval filtered_var=if(status=="200",req_duration_ms,null()) | stats var(filtered_var) ``` 
['sample-http-logs']
| summarize varianceif(req_duration_ms, status == '200')

In ANSI SQL, you typically use a CASE statement to apply conditional logic and then compute the variance. In APL, varianceif simplifies this by combining both the condition and the aggregation.

```sql SQL example SELECT VARIANCE(CASE WHEN status = '200' THEN req_duration_ms END) FROM sample_http_logs; ``` 
['sample-http-logs']
| summarize varianceif(req_duration_ms, status == '200')

Usage

Syntax

summarize varianceif(Expr, Predicate)

Parameters

  • Expr: The expression (numeric) for which you want to calculate the variance.
  • Predicate: A boolean condition that determines which records to include in the calculation.

Returns

Returns the variance of Expr for the records where the Predicate is true. If no records match the condition, it returns null.

Use case examples

You can use the varianceif function to calculate the variance of HTTP request durations for requests that succeeded (status == '200').

Query

['sample-http-logs']
| summarize varianceif(req_duration_ms, status == '200')

Run in Playground

Output

varianceif_req_duration_ms
15.6

This query calculates the variance of request durations for all HTTP requests that returned a status code of 200 (successful requests).

You can use the varianceif function to monitor the variance in span durations for a specific service, such as the frontend service.

Query

['otel-demo-traces']
| summarize varianceif(duration, ['service.name'] == 'frontend')

Run in Playground

Output

varianceif_duration
32.7

This query calculates the variance in the duration of spans generated by the frontend service.

The varianceif function can also be used to track the variance in request durations for requests from a specific geographic region, such as requests from geo.country == 'United States'.

Query

['sample-http-logs']
| summarize varianceif(req_duration_ms, ['geo.country'] == 'United States')

Run in Playground

Output

varianceif_req_duration_ms
22.9

This query calculates the variance in request durations for requests originating from the United States.
  • avgif: Computes the average value of an expression for records that match a given condition. Use avgif when you want the average instead of variance.
  • sumif: Returns the sum of values that meet a specified condition. Use sumif when you’re interested in totals, not variance.
  • stdevif: Returns the standard deviation of values based on a condition. Use stdevif when you want to measure dispersion using standard deviation instead of variance.

Good evening

I'm here to help you with the docs.

I
AIBased on your context