1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. Stages Commands Reference
    6. Comp
    7. list

    list

    Cortex XDR XQL comp list aggregate returns an array for up to 100 values seen for the field in the result set.

    Synopsis

    comp list(<
    field
    >) [as <
    alias
    >] by <
    field_1
    >,<
    field_2
    >

    Description

    The
    list
     aggregation is a comp function that returns an array of up to 100 values found for a given field, for all records that contain matching values for the fields identified in the
    by
     clause. The array values are all non-null, so null values are filtered out. The values returned in the array are non-unique, so if a value repeats multiple times it is included as part of the list of up to 100 values.

    Examples

    Return an array containing up to 100 values seen for the
    action_total_download
     field for all records that have matching values for their
    actor_process_image_path
     and
    actor_process_command_line
     values: 
    dataset = xdr_data 
| fields actor_process_image_path as Process_Path,
       actor_process_command_line as Process_CMD,
       action_total_download Download 
| filter Download > 0 
| comp list(Download) as list_download by Process_Path, Process_CMD

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo