Cortex XDR XQL comp stage performs an aggregation against a field.
comp <function> [as <alias>] by asc|desc <field1>[,<field2>...]
compstage performs an aggregation function (such as sum, min, max). It must be used with one of the comp functions.
aliasclause to provide a column label for the
byclause identifies the rows in the result set that will be aggregated. This clause is optional. Provide one or more fields to this clause. All fields with matching values are used to perform the aggregation. For example, if you had records such as:
number,id,product 100,"se1","A55" 50,"se1","A60" 50,"se1","A60" 25,"se2","A55" 25,"se2","A60"
The you can aggregate on the number column, and perform aggregation based on matching values in the id and/or product column. So if you sum the number column by the id column, you would get two results:
- 200 for "se1"
- 50 for "se2"
If you summed by id and product, you would get:
- 100 for "se1" and "A55" (there are no matching pairs).
- 100 for "se1" and "A60" (there is one matching pair).
- 25 for "se2" and "A55" (there are no matching pairs).
- 25 for "se2" and "A60" (there are no matching pairs).
You can use a wildcard to perform an aggregate for every field contained in the result set, except for the field(s) specified in the
byclause. The syntax for this is:
comp <function>(*) as * by [asc|desc] <field1>[,<field2>...]
For wildcards to work, all of the fields contained in the result set that are
notidentified in the
byclause must be aggregatable.
action_total_downloadvalues for all records with matching pairs of values for the
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | comp sum(Download) as total by Process_Path, Process_CMD
panw_ngfw_traffic_rawdataset, sum the
bytes_sentvalues for every record contained in the result set with a matching value for
dataset = panw_ngfw_traffic_raw | fields bytes_total, bytes_received, bytes_sent, source_ip | comp sum(*) as * by source_ip
Recommended For You
Recommended videos not found.