count
Cortex XDR XQL comp count_distinct aggregate counts the number of total values seen for the field in the result set.
Synopsis
comp count(<field>) [as <alias>] by <field_1>,<field_2>
Description
The
count
aggregation is a
comp function that returns a count of the number of values found for a field,
for all records that contain matching values for the fields identified in the by
clause.
Use
count_distinct to retrieve the number of unique values in the result set.
Examples
Return a count of all values seen for the
actor_process_image_path
field for all records that have matching values for their
actor_process_image_path
and
actor_process_command_line
values:
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | comp count(Process_Path) as num_process_path by process_path, process_cmd | sort desc process_path
Recommended For You
Recommended Videos
Recommended videos not found.
