regextract
Cortex XDR XQL regextract function uses regular expressions to assemble an array of matching substrings from a string.
Synopsis
regextract (<string_value>, <pattern>)
Description
The
regextract()
function accepts a string and a regular expression, and it returns
an array containing substrings that match the expression.
XQL uses RE2
for its regular expression implementation.
Examples
Extract the
Account Name
from the
action_evtlog_message
. Use the
arrayindex
and
split
functions to extract the actual account name from the array created by
regextract
.
dataset = xdr_data | fields action_evtlog_message as aem | filter aem != null | alter account_name = arrayindex( split( arrayindex( regextract(aem, "Account Name:\t\t.*\r\n") ,0) , ":") ,1) | | filter account_name != null | limit 10
Recommended For You
Recommended Videos
Recommended videos not found.
