ltrim, rtrim, trim - Learn more about the Cortex Query Language ltrim(), rtrim(), and trim() functions that remove trim_characters from a string. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 3.x Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-12-04
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language ltrim(), rtrim(), and trim() functions that remove trim_characters from a string.

Syntax
trim (<string>,[trim_characters])
rtrim (<string>,[trim_characters])
ltrim (<string>,[trim_characters])
Description

  • The trim() function removes all instances of the specified trim_characters defined in the second parameter of the function from the beginning and end of the string defined in the first parameter of the function.

  • The rtrim() function removes all instances of the specified trim_characters defined in the second parameter of the function from the end of the string defined in the first parameter of the function.

  • The ltrim() function removes all instances of the specified trim_characters defined in the second parameter of the function from the beginning of the string defined in the first parameter of the function.

Keep in mind the following important points before using these functions, where relevant examples are provided:

  • The specified trim_characters do not need to be in any order.

    Example 125. 

    Either of these yield the same result:

    rtrim("explorer.exe", ".ex")
    rtrim("explorer.exe", ".exe")
    rtrim("explorer.exe", "x.e")

    Output result:

    "explorer"

  • trim_characters don't support regular expressions or escape characters.

    Example 126. 
    ltrim("***a*aapple*", "*a")

    Output results:

    "pple*"

  • All occurrences of the trim_characters supplied are removed from left to right until it reaches a letter that is not part of the supplied letters.

    Example 127. 
    ltrim("hello world", "leh")

    Output results:

    "o world"

  • A space in the string can also be considered a character.

  • The ltrim(), rtrim(), and trim() functions are case sensitive unless there is an override.

    Example 128. 
    ltrim("***a*aapple*", "*A")

    Output results:

    "a*aapple*"

  • If you do not specify trim_characters, then whitespace (spaces and tabs) are removed.

    Example 129. 
    ltrim("  apple*")

    Output results:

    "apple*"

Examples

A complete query example, where the output results of each ltrim(), rtrim(), and trim() function is detailed in the comments.

config timeframe = 1w | dataset = xdr_data
| limit 1
| alter
    example_1 = rtrim("explorer.exe", "x.e"), // ---> "explorer"
    example_2 = ltrim("hello world", "leh"), // ---> "o world"
    example_3 = trim("  apple*  ", " "), // ---> "apple*"
    example_4 = ltrim("***a*aapple*", "*A") // ---> "a*aapple*"
| fields example*