Document:Cortex XDR™ XQL Language Reference

sum

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

sum

Cortex XDR XQL comp sum aggregate returns the sum of an integer field in the result set.

Synopsis

comp sum(<field>) [as <alias>] by <field_1>,<field_2>

Description

The

sum

aggregation is a comp function that returns the sum of an integer field, for all records that contain matching values for the fields identified in the

clause.

Examples

Return the sum of the

action_total_download

field for all records that have matching values for their

actor_process_image_path

and

actor_process_command_line

values:

dataset = xdr_data 
| fields actor_process_image_path as Process_Path, 
       actor_process_command_line as Process_CMD, 
       action_total_download as Download 
| filter Download > 0 
| comp sum(Download) as total_download by Process_Path, Process_CMD

Document:Cortex XDR™ XQL Language Reference

sum

Table of Contents

sum

Synopsis

Description

Examples

Recommended For You

Recommended Videos