How to filter for empty values in the results table - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-11-25
Category
Reference Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation/Cortex-XDR-XQL
Abstract

Learn how to filter for empty values in the results table in Cortex Query Language.

When building a query you can filter for empty values in the results table, which can include or exclude null or empty strings. In the query syntax, empty strings are represented as "", while null fields are represented as null.

Example

Below is an example of filtering your endpoint data in the results table to exclude all null values and any empty strings for a user.

config timeframe = 90d
| dataset = endpoints
| filter endpoint_status in (CONNECTED, DISCONNECTED)
| filter user != null and user != ""
| fields user, group_names, endpoint_name