arrayindexof - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language arrayindexof() function that returns the index value of an array.

Syntax
arrayindexof(<array>, <condition>)
arrayindexof(<array>, "@element"<operator>"<array element>")

Note

The <operator> can be any of the ones supported, such as = and !=.

Description

The arrayindexof() function enables you to return a value related to an array in one of the following ways.

  • Returns 0 if a particular array is not empty and the specified condition is true. If the condition is not met, a NULL value is returned.

  • Returns the 0-based index of a particular array element if a particular array is not empty and the specified condition using an @element is true. If the condition is not met, a NULL value is returned.

Examples
Condition

Use the alter stage to assign a value returned by the arrayindexof function to a field called x. The arrayindexof function reviews the dfe_labels array and returns 0 if the array is not empty and the backtrace_identities array contains more than 1 element. Otherwise, a NULL value is assigned to the x field.

dataset in (xdr_data) 
| alter x = arrayindexof(dfe_labels , array_length(backtrace_identities) > 1) 
| fields x, dfe_labels 
| limit 100 
@Element

When the dfe_labels array is not empty, use the alter stage to assign the 0-based index value returned by the arrayindexof function to a field called x. The arrayindexof function reviews the dfe_labels array and looks for the array element set to network. Otherwise, a NULL value is assigned to the x field.

dataset = xdr_data 
| filter dfe_labels != null
| alter x = arrayindexof(dfe_labels , "@element" = "network") 
| fields x, dfe_labels 
| limit 100