coalesce - Learn more about the Cortex Query Language coalesce() function that returns the first value that is not null from a defined list of fields. - Administrator Guide - Cortex XDR - Cortex

coalesce - Learn more about the Cortex Query Language coalesce() function that returns the first value that is not null from a defined list of fields. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-11-10

Syntax

coalesce (<field_1>, <field_2>,...<field_n>)

Description

The coalesce() function takes an arbitrary number of arguments and returns the first value that is not NULL.

Example

Given a list of fields that contain usernames, select the first one that is not null and display it in the username column.

dataset = xdr_data 
| fields actor_primary_username,
       os_actor_primary_username,
       causality_actor_primary_username 
| alter username = coalesce(actor_primary_username,
                          os_actor_primary_username,
                          causality_actor_primary_username)