CONST - Learn how to write a [CONST] section in a Parsing Rules file and the syntax to use. - Administrator Guide - Cortex XDR - Cortex

CONST - Learn how to write a [CONST] section in a Parsing Rules file and the syntax to use. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-12-24

Category

Administrator Guide

Abstract

Learn how to write a [CONST] section in a Parsing Rules file and the syntax to use.

A CONST section is used to define strings and numbers that can be reused multiple times within Cortex Query Language (XQL) statements in other INGEST sections by using $constName. This can be helpful to avoid writing the same value in multiple sections, similar to constants in modern programming languages.

Example 81.

[CONST]
DEFAULT_DEVICE_NAME = "firewall3060";       // string
FILE_REGEX = "c:\\users\\[a-zA-Z0-9.]*";    // complex string
my_num = 3;                                 /* int */

An example of using a CONST inside XQL statements in other INGEST sections using $constName:

Note

The dollar sign ($) must be adjacent to the [CONST] name, without any whitespace in between.

...
| filter device_name = $DEFAULT_DEVICE_NAME
| alter new_field = JSON_EXTRACT(field, $FILE_REGEX)
| filter age < $MAX_TIMEOUT
| join type=$DEFAULT_JOIN_TYPE conflict_strategy=$DEFAULT_JOIN_CONFLICT_STRATEGY (dataset=my_lookup) as inn url=inn.url
...

Important

Only quoted or integer terminal values are considered valid for CONST sections.

Example 82.

These will not compile:

[CONST]
WORD_CONST = abcde;                             //invalid
func_val = regex_extract(_raw_log, "regex");    // not possible
RECURSIVE_CONST = $WORD_CONST;                  // not terminal - not possible

CONST sections are meant to replace values. Other types, such as column names, are not supported:

...
| filter $DEVICE_NAME = "my_device"             // illegal
...

A few more points to keep in mind when writing CONST sections:

CONST names are not case-sensitive. They can be written in any user-desired casing, such as UPPER_SNAKE, lower_snake, camelCase, and CamelCase. For example, MY_CONST=My_Const=my_const.
CONST names must be unique inside a section, and across all sections of the file. You cannot have the same CONST name defined again in the same section, or in any other CONST sections in the file.
Since section order is unimportant, you do not have to declare a CONST before using it. You can have the CONST section written below other sections that use those CONST sections.
A CONST is an add-on to the Parsing Rule syntax and is optional to configure.
CONST syntax is derived from XQL, but a few modifications as explained in the Parsing Rules syntax.