Learn what to expect in the query results when querying fields.
Notice
Building Cortex Query Language (XQL) queries in the Query Builder requires a Cortex XDR Pro license.
The following are returned when querying fields:
If specific fields are stated in the fields stage, those exact fields will be returned.
The
_time
system field will not be added to queries that contain thecomp
stage.All current system fields will be returned, even if they are not stated in the query.
Each new column in the result set created by the alter stage will be added as the last column. You can specify a different column order by modifying the field order in the fields stage of the query.
Each new column in the result set created by the comp stage will be added as the last column. Other fields that are not in the
group by / calculated
column will be removed from the result set, including the core fields and_time
system field.When no limit is explicitly stated in a
datamodel
query, a maximum of 1,000,000 results are returned (default). When this limit is applied to results using the limit stage, it will be indicated in the user interface.