arrayfilter

Cortex XDR XQL arrayfilter function filters the results of an array when certain conditions are met, or for a specified array element value.

Synopsis

arrayfilter(<
array
>, <
condition
>)
arrayfilter(<
array
>, "@element"<
operator*
>"<
array element
>")
*The <
operator
> can be any of the ones supported, such as
=
and
!=
.

Description

The
arrayfilter()
function filters the results of an array in one of the following ways.
  • Returns the results when a certain condition is applied to the array.
  • Returns the results when a particular array is set to a specified array element.

Examples

Condition
Use the Alter stage to assign a value to a field called
x
that returns the value of the
arrayfilter
function. The
arrayfilter
function filters the
dfe_labels
array and returns the array value when the
backtrace_identities
array contains more than 1 element.
dataset in (xdr_data) | alter x = arrayfilter(dfe_labels , array_length(backtrace_identities) > 1) | fields x, dfe_labels | limit 100
@Element
When the
dfe_labels
array is not empty, use the Alter stage to assign a value to a field called
x
that returns the value of the
arrayfilter
function. The
arrayfilter
function filters the
dfe_labels
array for the array element set to
network
.
dataset = xdr_data | filter dfe_labels != null | alter x = arrayfilter(dfe_labels , "@element" = "network") | fields x, dfe_labels | limit 100

Recommended For You