1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. Stages Commands Reference
    6. Comp
    7. earliest

    earliest

    Cortex XDR XQL earliest aggregate returns the earliest field value found with the matching criteria.

    Synopsis

    comp earliest(<
    field
    >) [as <
    alias
    >] by <
    field_1
    >,<
    field_2
    >

    Description

    The
    earliest
     aggregation is a comp function that returns the chronologically earliest value found for a field that has matching values for the fields identified in the
    by
     clause.

    Examples

    Return the chronologically earliest timestamp found for any given
    action_total_download
     value for all records that have matching values for their
    actor_process_image_path
     and
    actor_process_command_line
     fields. 
    dataset = xdr_data 
| fields _time, 
      actor_process_image_path as Process_Path,
      actor_process_command_line as Process_CMD,
      action_total_download as Download  
| filter Download > 0 
| comp earliest(_time) as download_time by Process_Path, Process_CMD

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo