latest
Cortex XDR XQL latest aggregate returns the latest field value found with the matching criteria.
Synopsis
comp latest(<field>) [as <alias>] by <field_1>,<field_2>
Description
The
latest
aggregation is a
comp function that returns the chronologically latest value found for a field
that has
matching values for the fields identified in the by
clause.
Examples
Return the chronologically latest timestamp found for any given
action_total_download
value for all records
that have matching values for their
actor_process_image_path
and actor_process_command_line
fields.
dataset = xdr_data | fields _time, actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | comp latest(_time) as download_time by Process_Path, Process_CMD
Recommended For You
Recommended Videos
Recommended videos not found.
