fields - Learn more about the Cortex Query Language fields stage that defines the fields returned in the result set. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-12-24
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language fields stage that defines the fields returned in the result set.

Syntax
fields [-] <field_1> [as <name1>], <field_2> [as <name2>], ...
Description

The fields stage declares which fields are returned in the result set, including name changes. If this stage is used, then subsequent stages can operate only on the fields identified by this stage.

Use a wildcard (*) to include all fields that match the pattern. Use a minus character (-) to exclude a field from the result set. The following system fields cannot be excluded and are always displayed:

  • _time

  • _insert_time

  • _raw_log

  • _product

  • _vendor

  • _tag

  • _snapshot_id

  • _snapshot_log_count

  • _snapshot_collection_ts

  • _id

Use the as clause to set an alias for a field. If you use the as clause, then subsequent stages must use that alias to refer to the field.

Examples

Return the action_country field from all xdr_data records where the action_country field is both not null and not "-". Also include all fields with names that match event_* except for event_type.

dataset = xdr_data 
| fields action_country as ac 
| fields event_* 
| fields - event_type 
| filter ac != null and ac != "-"