How to filter for empty values in the results table - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Learn how to filter for empty values in the results table in Cortex Query Language.

When building a query you can filter for empty values in the results table, which can include or exclude null or empty strings. In the query syntax, empty strings are represented as "", while null fields are represented as null.

  • Exclude null and empty strings using the following syntax:

    <name of field> != null and <field name> != ""
  • Include null or empty strings using the following syntax:

    <name of field> = null or <field name> = ""
Example 73. 

Below is an example of filtering your endpoint data in the results table to exclude all null values and any empty strings for a user.

config timeframe = 90d
| dataset = endpoints
| filter endpoint_status in (CONNECTED, DISCONNECTED)
| filter user != null and user != ""
| fields user, group_names, endpoint_name