1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. XQL Functions Reference
    6. if

    if

    Cortex XDR XQL if() function returns a result after evaluating a condition.

    Synopsis

    if (<
    boolean_expression
    >, <
    true_return_expression
    >, <
    false_return_expression
    >)

    Description

    The
    if()
     function evaluates an expression. If the expression evaluates as True, the function returns the results of evaluating the second function argument. If the expression evaluates as false, the function returns the results of evaluating the third function argument.

    Examples

    If '.exe' is present on the
    action_process_image_name
     field value, replace that substring with an empty string. This example uses the replace and lowercase functions, as well as the contains operator to perform the conditional check. 
    dataset = xdr_data 
| fields action_process_image_name as apin 
| filter apin != null 
| alter remove_exe_process = 
    if(lowercase(apin) contains ".exe",  // boolean expression
       replace(lowercase(apin),".exe",""), // return if true
       lowercase(apin))  // return if false
| limit 10

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo