replace

Cortex XDR XQL replace function performs a substring replacement.

Synopsis

replace (<
field
>, "<
old_substring
>", "<
new_string
>")

Description

The
replace()
function accepts a string field, and replaces all occurrences of a substring with a replacement string.

Examples

If '.exe' is present on the
action_process_image_name
field value, replace that substring with an empty string. This example uses the if and lowercase functions, as well as the contains operator to perform the conditional check.
dataset = xdr_data | fields action_process_image_name as apin | filter apin != null | alter remove_exe_process = if(lowercase(apin) contains ".exe", replace(lowercase(apin),".exe",""), lowercase(apin)) | limit 10
See also the trim function example.

Recommended For You