Fields - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Cortex XDR
Creation date
Last date published
Reference Guide

Learn more about the Cortex Query Language fields stage that defines the fields returned in the result set.


fields [-] <field_1> [as <name1>], <field_2> [as <name2>], ...


The fields stage declares which fields are returned in the result set, including name changes. If this stage is used, then subsequent stages can operate only on the fields identified by this stage.

Use a wildcard (*) to include all fields that match the pattern. Use a minus character (-) to exclude a field from the result set. The following system fields cannot be excluded and are always displayed:

  • _time

  • _insert_time

  • _raw_log

  • _product

  • _vendor

  • _tag

  • _snapshot_id

  • _snapshot_log_count

  • _snapshot_collection_ts

  • _id

Use the as clause to set an alias for a field. If you use the as clause, then subsequent stages must use that alias to refer to the field.


Return the action_country field from all xdr_data records where the action_country field is both not null and not "-". Also include all fields with names that match event_* except for event_type.

dataset = xdr_data 
| fields action_country as ac 
| fields event_* 
| fields - event_type 
| filter ac != null and ac != "-"