arraymerge

Cortex XDR XQL arraymerge() function merges a number of arrays, including an arraymap () function, to the same array.

Synopsis

arraymerge ((<
array1
>), (<
array2
>), (arraymap (<
array3
>, <
function()
>), arraymap (<
array4
>, <
function()
>),...))

Description

The
arraymerge()
function returns an array, which is created from a merge of a number of arrays, including merging a number of arraymap () function arrays.

Example

Returns a final array that is created from a merge of the arraymap by extracting the IP address from the
agent_interface_map
field and the first IPV4 address found in the first element of the agent_interface_map array. This example uses the to_json_string and json_extract_array functions to extract the desired information.
dataset = xdr_data | alter a = arraymerge ( arraymap (agent_interface_map, to_json_string (json_extract_array (to_json_string("@element"), "$.ipv4") ) ) )

Recommended For You