array_all - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language array_all() function.

Syntax
array_all(<array>, "@element"<operator>"<array element>")

Note

The <operator> can be any of the ones supported, such as = and !=.

Description

The array_all() function returns true when all the elements in a particular array match the condition in the specified array element. Otherwise, the function returns false.

Example

When the dfe_labels array is not empty, use the alter stage to create a new column called x that returns true when all the elements in the dfe_labels array is equal to network; otherwise, the function returns false.

dataset = xdr_data
| filter dfe_labels != null
| alter x = array_all(dfe_labels , "@element" = "network")
| fields x, dfe_labels
| limit 100