Abstract
Learn more about the Cortex Query Language arraystring()
function that returns a string from an array, where each array element is joined by a defined delimiter.
Syntax
arraystring (<string>, <delimiter>)
Description
The arraystring()
function returns a string from an array, where each array element is joined by a defined delimiter.
Examples
Retrieve all action_app_id_transitions
that are not null, combine each array into a string where array elements are delimited by " : ", and then use Dedup the resulting string.
dataset = xdr_data | fields action_app_id_transitions as aait | alter transitions_string = arraystring(aait, " : ") | dedup transitions_string by asc _time | filter aait != null