Target

Cortex XDR XQL target() stage saves query results to a dataset.

Synopsis

target type=dataset|lookup append=true|false <
dataset name
>

Description

The
target()
stage saves query results to a named dataset or lookup. These are persistent and can be used in subsequent queries. If it is used, this stage must be the last stage specified on the query.
Use
dataset
if you are saving the query results for use in future queries. Use
lookup
if you want to export the query results to disk.

Examples

Save the results of a simple query to a named dataset.
dataset = xdr_data | fields action_boot_time as abt | filter abt != null | target type=dataset abt_dataset
Subsequently, you can query the new dataset. Notice that the field names used by the new dataset conform to the aliases that you used when you created the dataset:
dataset = abt_dataset | filter abt = 1603986614040

Recommended For You