Learn more about the Cortex Query Language json_extract_array()
function that accepts a string representing a JSON array, and returns an XQL-native array.
Important
Before using this JSON function, it's important that you understand how Cortex XDR treats a JSON in the Cortex Query Language. For more information, see JSON functions.
Syntax
Description
The json_extract_array()
function accepts a string representing a JSON array, and returns an XQL-native array. To convert a string field to a JSON object, use the to_json_string function.
Important
JSON field names are case sensitive, so the key to field pairing must be identical in an XQL query for results to be found. For example, if a field value is "TIMESTAMP"
and your query is defined to look for "timestamp", no results will be found.