1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. XQL Functions Reference
    6. replace

    replace

    Cortex XDR XQL replace function performs a substring replacement.

    Synopsis

    replace (<
    field
    >, "<
    old_substring
    >", "<
    new_string
    >")

    Description

    The
    replace()
     function accepts a string field, and replaces all occurrences of a substring with a replacement string.

    Examples

    If '.exe' is present on the
    action_process_image_name
     field value, replace that substring with an empty string. This example uses the if and lowercase functions, as well as the contains operator to perform the conditional check. 
    dataset = xdr_data 
| fields action_process_image_name as apin 
| filter apin != null 
| alter remove_exe_process = if(lowercase(apin) contains ".exe",
                              replace(lowercase(apin),".exe",""),
                              lowercase(apin)) 
| limit 10
    See also the trim function example.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo