1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. XQL Functions Reference
    6. coalesce

    coalesce

    Cortex XDR XQL coalesce() function returns the first value that is not null from a defined list of fields.

    Synopsis

    coalesce (
    <field_1>, <field_2>,...<field_n>
    )

    Description

    The
    coalesce()
     function takes an arbitrary number of arguments and returns the first value that is not NULL.

    Examples

    Given a list of fields that contain usernames, select the first one that is not
    null
     and display it in the
    username
     column 
    dataset = xdr_data 
| fields actor_primary_username,
       os_actor_primary_username,
       causality_actor_primary_username 
| alter username = coalesce(actor_primary_username,
                          os_actor_primary_username,
                          causality_actor_primary_username)

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo