arraymap - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference
Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-04-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language arraymap() function that applies a callable function to every element of an array.

Syntax

arraymap (<array>, <function()>)

Description

The arraymap() function applies a specified function to every element of an array. For functions that require a fieldname, use "@element".

Examples

Extract the MAC address from the agent_interface_map field. This example uses the json_extract_scalar, to_json_string, json_extract_array, and arraystring functions to extract the desired information.

dataset = xdr_data 
| alter mac = 
    arraystring (
        arraymap (
            json_extract_array (to_json_string(agent_interface_map),"$."),
            json_extract_scalar ("@element", "$.mac")
        ), ",")