Expected results when querying fields - Learn what to expect in the query results when querying fields. - Administrator Guide

Expected results when querying fields - Learn what to expect in the query results when querying fields. - Administrator Guide - Cortex CLOUD

Cortex Cloud Posture Management Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Posture Management

Creation date

2025-01-22

Last date published

2026-06-10

Category

Administrator Guide

Abstract

Learn what to expect in the query results when querying fields.

The following are returned when querying fields:

If specific fields are stated in the fieldsfields stage, those exact fields will be returned.
The _time system field will not be added to queries that contain the comp stage.
All current system fields will be returned, even if they are not stated in the query.
Each new column in the result set created by the alter stage will be added as the last column. You can specify a different column order by modifying the field order in the fieldsfields stage of the query.alter
Each new column in the result set created by the comp stage will be added as the last column. Other fields that are not in the group by / calculated column will be removed from the result set, including the core fields and _time system field.comp
When no limit is explicitly stated in a datamodel query, a maximum of 1,000,000 results are returned (default). When this limit is applied to results using the limit stage, it will be indicated in the user interface.limit