Arrayexpand - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language arrayexpand stage.

Syntax

arrayexpand <array_field> [limit <limit number>]

Description

The arrayexpand stage expands the values of a mulit-value array field into separate events and creates one record in the result set for each item in the array, up to a <limit number> of records. For example, suppose you have a dataset with a single row like this:

uid

username

array_values

123456

ajohnson

[1,2,3,4,5,6,7,8,9,0]

Then if you run an arrayexpand stage using the array_values field, with a limit of 3, the result set includes the following records:

dataset=my_dataset 
| arrayexpand array_values limit 3

uid

username

array_values

123456

ajohnson

2

123456

ajohnson

1

123456

ajohnson

3

Note

The result records created by arrayexpand are in no particular order. However, you can use the Sort stage to sort the results:

dataset=my_dataset 
| arrayexpand array_values 
| sort asc array_values