Expected results when querying fields - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn what to expect in the query results when querying fields.

Notice

Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.

The following are returned when querying fields:

  • If specific fields are stated in the fields stage, those exact fields will be returned. 

  • The _time system field will not be added to queries that contain the comp stage.

  • All current system fields will be returned, even if they are not stated in the query.

  • Each new column in the result set created by the alter stage will be added as the last column. You can specify a different column order by modifying the field order in the fields stage of the query.

  • Each new column in the result set created by the comp stage will be added as the last column. Other fields that are not in the group by / calculated column will be removed from the result set, including the core fields and _time system field.

  • When no limit is explicitly stated in a datamodel query, a maximum of 1,000,000 results are returned (default). When this limit is applied to results using the limit stage, it will be indicated in the user interface.