Comp

Cortex XDR XQL comp stage performs an aggregation against a field.

Synopsis

comp <function> [as <alias>] by asc|desc <
field1
>[,<
field2
>...]

Description

The
comp
stage performs an aggregation function (such as sum, min, max). It must be used with one of the comp functions.
Use the
alias
clause to provide a column label for the
comp
results.
The
by
clause identifies the rows in the result set that will be aggregated. This clause is optional. Provide one or more fields to this clause. All fields with matching values are used to perform the aggregation. For example, if you had records such as:
number,id,product 100,"se1","A55" 50,"se1","A60" 50,"se1","A60" 25,"se2","A55" 25,"se2","A60"
The you can aggregate on the number column, and perform aggregation based on matching values in the id and/or product column. So if you sum the number column by the id column, you would get two results:
  • 200 for "se1"
  • 50 for "se2"
If you summed by id and product, you would get:
  • 100 for "se1" and "A55" (there are no matching pairs).
  • 100 for "se1" and "A60" (there is one matching pair).
  • 25 for "se2" and "A55" (there are no matching pairs).
  • 25 for "se2" and "A60" (there are no matching pairs).

Wildcard Aggregates

You can use a wildcard to perform an aggregate for every field contained in the result set, except for the field(s) specified in the
by
clause. The syntax for this is:
comp <function>(*) as * by [asc|desc] <
field1
>[,<
field2
>...]
For wildcards to work, all of the fields contained in the result set that are
not
identified in the
by
clause must be aggregatable.

Examples

Sum the
action_total_download
values for all records with matching pairs of values for the
actor_process_image_path
and
actor_process_command_line
fields.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | comp sum(Download) as total by Process_Path, Process_CMD
Using the
panw_ngfw_traffic_raw
dataset, sum the
bytes_total
,
bytes_received
, and
bytes_sent
values for every record contained in the result set with a matching value for
source_ip
.
dataset = panw_ngfw_traffic_raw | fields bytes_total, bytes_received, bytes_sent, source_ip | comp sum(*) as * by source_ip

comp Functions

The functions you can use with the
comp
stage are:

Recommended For You