arraymap - Learn more about the Cortex Query Language arraymap() function that applies a callable function to every element of an array. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-12-24
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language arraymap() function that applies a callable function to every element of an array.

Syntax
arraymap (<array>, <function()>)
Description

The arraymap() function applies a specified function to every element of an array. For functions that require a fieldname, use "@element".

Examples

Extract the MAC address from the agent_interface_map field. This example uses the json_extract_scalar, to_json_string, json_extract_array, and arraystring functions to extract the desired information.

dataset = xdr_data 
| alter mac = 
    arraystring (
        arraymap (
            json_extract_array (to_json_string(agent_interface_map),"$."),
            json_extract_scalar ("@element", "$.mac")
        ), ",")