replacenull - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language replacenull stage that replaces null field values with a text string.

Syntax
replacenull <field> = <text string>
Description

The replacenull stage replaces null field values with the specified text string. This guarantees that every field in your result set will contain a value.

If you use the replacenull stage, then all subsequent stages that refer to the field's null value must use the replacement text string.

Examples

Return the action_country field from every xdr_data records where the action_country field is null, using the text string N/A in the place of an empty field value.

dataset = xdr_data 
| fields action_country as ac 
| replacenull ac = "N/A" 
| filter ac = "N/A"