Document:Cortex XDR™ XQL Language Reference

arraystring

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

arraystring

Cortex XDR XQL arraystring() function returns a string from an array, where each array element is joined by a defined delimiter.

Synopsis

arraystring (<string>, <delimiter>)

Description

The

arraystring()

function returns a string from an array, where each array element is joined by a defined delimiter.

Examples

Retrieve all

action_app_id_transitions

that are not null, combine each array into a string where array elements are delimited by " : ", and then use Dedup the resulting string.

dataset = xdr_data 
| fields action_app_id_transitions  as aait 
| alter transitions_string = arraystring(aait, " : ") 
| dedup transitions_string by asc _time 
| filter aait != null

Document:Cortex XDR™ XQL Language Reference

arraystring

Table of Contents

arraystring

Synopsis

Description

Examples

Recommended For You

Recommended Videos