Replacenull - Learn more about the Cortex Query Language replacenull stage that replaces null field values with a text string. - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference
Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-11-25
Category
Reference Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation/Cortex-XDR-XQL
Abstract

Learn more about the Cortex Query Language replacenull stage that replaces null field values with a text string.

Syntax

replacenull <field> = <text string>

Description

The replacenull stage replaces null field values with the specified text string. This guarantees that every field in your result set will contain a value.

If you use the replacenull stage, then all subsequent stages that refer to the field's null value must use the replacement text string.

Examples

Return the action_country field from every xdr_data records where the action_country field is null, using the text string N/A in the place of an empty field value.

dataset = xdr_data 
| fields action_country as ac 
| replacenull ac = "N/A" 
| filter ac = "N/A"