Document:Cortex XDR™ XQL Language Reference

coalesce

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

coalesce

Cortex XDR XQL coalesce() function returns the first value that is not null from a defined list of fields.

Synopsis

coalesce (<field_1>, <field_2>,...<field_n>)

Description

The

coalesce()

function takes an arbitrary number of arguments and returns the first value that is not NULL.

Examples

Given a list of fields that contain usernames, select the first one that is not

null

and display it in the

username

column

dataset = xdr_data 
| fields actor_primary_username,
       os_actor_primary_username,
       causality_actor_primary_username 
| alter username = coalesce(actor_primary_username,
                          os_actor_primary_username,
                          causality_actor_primary_username)

Document:Cortex XDR™ XQL Language Reference

coalesce

Table of Contents

coalesce

Synopsis

Description

Examples

Recommended For You

Recommended Videos