Fields
Cortex XDR XQL fields stage defines which fields are returned in the result set.
Synopsis
fields [-] <field_1> [as <name1>], <field_2> [as <name2>], ...
Description
The
field
stage identifies which fields are returned in the result
set. If this stage is used, then subsequent stages can operate only on the fields identified
by this stage.
Use a wildcard (*) to include all fields that match the pattern.
Use a '-' to exclude a field from the result set.
Use the
as
clause to set an alias for a field. If you use the
as
clause, then subsequent stages must use that alias to refer
to the field.
Examples
Return the
action_country
field from all
xdr_data
records
where the action_country
field is both not null
and not "-". Also include all fields with names that match event_*
except for event_type
dataset = xdr_data | fields action_country as ac | fields event_* | fields - event_type | filter ac != null and ac != "-"
Recommended For You
Recommended Videos
Recommended videos not found.
