array_any - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-10-06
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language array_any() function.

Syntax

array_any(<array>, "@element"<operator>"<array element>") 

Note

The <operator> can be any of the ones supported, such as = and !=.

Description

The array_any() function returns true when at least 1 element in a particular array matches the condition in the specified array element. Otherwise, the function returns false.

Example

When the dfe_labels array is not empty, use the alter stage to create a new column called x that returns true when at least 1 element in the dfe_labels array is equal to network; otherwise, the function returns false.

dataset = xdr_data
| filter dfe_labels != null
| alter x = array_any(dfe_labels , "@element" = "network")
| fields x, dfe_labels
| limit 100