1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. Stages Commands Reference
    6. View

    View

    Cortex XDR XQL view stage configures the graphical display of the result set.

    Synopsis

    view highlight fields = <
    field1
    >[,<
    field2
    >,...] values = <
    value1
    >[,<
    value2
    >,...]
    view graph = column|line|pie xaxis = <
    field1
    > 
     yaxis = <
    field2
    > [<
    optional parameters
    >]

    Description

    The
    view()
     stage configures graphical display of the result set. It can be used in two different ways.
    If you use
    highlight
    , the
    view
     stage highlights specified strings that XDR finds on specified fields. The highlight values that you provide are performed as a substring search, so only partial value can be highlighted in the final results table.
    If you use
    graph
    , the
    view
     stage creates a column, line, or pie chart based on the values found for the fields specified on the
    xaxis
     and
    yaxis
     parameters. In this mode,
    view
     also offers a large number of parameters that allow you to control colors, decorations, and other behavior used for the final chart.
    If you use
    graph
    , the fields specified for
    xaxis
     and
    yaxis
     must be collatable or the query will fail.

    Examples

    Use the dedup stage collect unique combinations of
    event_type
     and
    event_sub_type
     values. Highlight the word "STREAM" when it appears in the result set. 
    dataset = xdr_data 
| fields event_type, event_sub_type 
| dedup event_type, event_sub_type by asc _time 
| view highlight fields = event_sub_type values = "STREAM"
    Count the number of unique files accessed by each user, and show a column graph of the results. This query uses comp count_distinct to calculate the number of unique files per username. 
    dataset = xdr_data 
| fields actor_effective_username as username, action_file_path as file_path 
| filter file_path != null and username != null 
| comp count_distinct(file_path) as file_count by username 
| view graph type = column xaxis = username yaxis = file_count

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo