arrayindexof

Cortex XDR XQL arrayindexof function returns the index value of an array.

Synopsis

arrayindexof(<
array
>, <
condition
>)
arrayindexof(<
array
>, "@element"<
operator*
>"<
array element
>")
*The <
operator
> can be any of the ones supported, such as
=
and
!=
.

Description

The
arrayindexof()
function enables you to return a value related to an array in one of the following ways.
  • Returns 0 if a particular array is not empty and the specified condition is true. If the condition is not met, a NULL value is returned.
  • Returns the 0-based index of a particular array element if a particular array is not empty and the specified condition using an
    @element
    is true. If the condition is not met, a NULL value is returned.

Examples

Condition
Use the Alter stage to assign a value returned by the
arrayindexof
function to a field called
x
. The
arrayindexof
function reviews the
dfe_labels
array and returns 0 if the array is not empty and the
backtrace_identities
array contains more than 1 element. Otherwise, a NULL value is assigned to the
x
field.
dataset in (xdr_data) | alter x = arrayindexof(dfe_labels , array_length(backtrace_identities) > 1) | fields x, dfe_labels | limit 100
@Element
When the
dfe_labels
array is not empty, use the Alter stage to assign the 0-based index value returned by the
arrayindexof
function to a field called
x
. The
arrayindexof
function reviews the
dfe_labels
array and looks for the array element set to
network
. Otherwise, a NULL value is assigned to the
x
field.
dataset = xdr_data | filter dfe_labels != null | alter x = arrayindexof(dfe_labels , "@element" = "network") | fields x, dfe_labels | limit 100

Recommended For You