Replacenull
Cortex XDR XQL replacenull stage replaces null field values with a string.
Synopsis
replacenull <field> = <string>
Description
The
replacenull
stage replaces null field values
with the specified string. This guarantees that every field in your result
set will contain a value.
If you use the
replacenull
stage, then
all subsequent stages that refer to the field's null value must
use the replacement string.
Examples
Return the
action_country
field from every
xdr_data
records where the
action_country
field is null, using the string
N/A
in the place of an empty field value.
dataset = xdr_data | fields action_country as ac | replacenull ac = "N/A" | filter ac = "N/A"
Recommended For You
Recommended Videos
Recommended videos not found.
