1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. Stages Commands Reference
    6. Comp
    7. last

    last

    Cortex XDR XQL last aggregate returns the last field value found in the dataset with the matching criteria.

    Synopsis

    comp last(<
    field
    >) [as <
    alias
    >] by <
    field_1
    >,<
    field_2
    >

    Description

    The
    last
     aggregation is a comp function that returns the last value found for a field in the dataset that has matching values for the fields identified in the
    by
     clause.

    Examples

    Return the last timestamp found in the dataset for any given
    action_total_download
     value for all records that have matching values for their
    actor_process_image_path
     and
    actor_process_command_line
     fields. 
    dataset = xdr_data 
| fields _time,
      actor_process_image_path as Process_Path,
      actor_process_command_line as Process_CMD,
      action_total_download as Download 
| filter Download > 0 
| comp last(_time) as download_time by Process_Path, Process_CMD

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo