Document:Cortex XDR™ XQL Language Reference

replex

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

replex

Cortex XDR XQL replex function uses a regular expression to identify and replace substrings.

Synopsis

replex (<string>, <pattern>, <new_string>)

Description

The

replex()

function accepts a string, and then uses a regular expression to identify a substring, and then replaces matching substrings with a new string.

XQL uses RE2 for its regular expression implementation.

Examples

For any

agent_id

that contains a dotted decimal IP address, mask the IP address. Use the dedup stage to reduce the result set to first-seen

agent_id

values.

dataset = xdr_data 
| fields agent_id 
| alter clean_agent_id = replex(agent_id, 
                              "[\d]+\.[\d]+\.[\d]+\.[\d]+", 
                              "xxx.xxx.xx.xx") 
| dedup agent_id by asc _time

Document:Cortex XDR™ XQL Language Reference

replex

Table of Contents

replex

Synopsis

Description

Examples

Recommended For You

Recommended Videos