Learn more about reviewing the results returned from an XQL query.
Notice
Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.
Review the following topics:
The results of a Cortex Query Language (XQL) query are displayed in a tab called Query Results.
Note
It's also possible to graph the results displayed. For more information, see Graph query results.
Real-time query results
Cortex XDR displays partial results for queries run in the Query Builder as they are received, subject to the limitations below. In a long-running query, viewing the initial findings enables you to refine, validate, or stop the query.
The partial results are displayed only in the Table tab. The results are added to the table as they are received in real time. The incremental query results aren't ordered, so they may not be in sequence.
Note
Results are received incrementally for the first 100K records, or up to 100MB worth of records, whichever comes first. After that, the next update is when the query has finished running completely.
Limitations
Real time query results are available only in the Query Builder and in free text query.
Real time results are displayed only for queries run on hot datasets.
The Sort option is available only after all the data is retrieved.
When you formulate complex queries, the results will be displayed when the query has finished running completely, and not in real time. Some of the clauses that are included in this restriction are:
JOIN - incremental results are supported only when the secondary dataset is smaller in size
SORT
COMP
WINDOWCOMP
TOP
Use the following options in the Query Results tab to investigate your query results:
Option | Use |
|---|---|
Table tab | Displays results in rows and columns according to the entity fields. Columns can be filtered, using their filter icons. More options (kebab icon
Show and hide rows according to a specific field in a specific event: select a cell, right-click it, and then select either or |
Graph tab | Use the Chart Editor to visualize the query results. |
Advanced tab | Displays results in a table format which aggregates the entity fields into one column. You can change the layout, decide whether to Show line breaks for any text field in the results table, and change the log format from the Select Show more to pivot an Expanded View of the event results that include NULL values. You can toggle between the JSON and Tree views, search, and Copy to clipboard. |
Export to File | Exports the results to a TSV (tab-separated values) file.
|
Refresh | Refreshes the query results. |
Free text search | Searches the query results for text that you specify in the free text search. Click the Free text search icon to reveal or hide the free text search field. |
Filter | Enables you to filter a particular field in the interface that is displayed to specify your filter criteria. For integer, boolean, and timestamp (such as |
Fields menu | Filters query results. To quickly set a filter, Cortex XDR displays the top ten results from which you can choose to build your filter. This option is only available in the Table and Advanced tabs, From within the menu, click on any field (excluding JSON and array fields) to see a histogram of all the values found in the result set for that field. This histogram includes:
NoteIn order for Cortex XDR to provide a histogram for a field, the field must not contain an array or a JSON object. |
