arrayindex - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference
Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-04-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language arrayindex() function that returns the array element contained at the specified index.

Syntax

arrayindex(<array>, <index>)

Description

The arrayindex() function returns the value contained in the specified array position. Arrays are 0-based, and negative indexing is supported.

Examples

Use the split function to split IP addresses into an array of octets. Return the 3rd octet contained in the IP address.

dataset = xdr_data 
| fields action_local_ip  as alii 
| alter ip_third_octet = arrayindex(split(alii, "."), 2) 
| filter alii != null and alii != "0.0.0.0" 
| limit 10