arraystring - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language arraystring() function that returns a string from an array, where each array element is joined by a defined delimiter.

Syntax

arraystring (<string>, <delimiter>)

Description

The arraystring() function returns a string from an array, where each array element is joined by a defined delimiter.

Examples

Retrieve all action_app_id_transitions that are not null, combine each array into a string where array elements are delimited by " : ", and then use Dedup the resulting string.

dataset = xdr_data 
| fields action_app_id_transitions  as aait 
| alter transitions_string = arraystring(aait, " : ") 
| dedup transitions_string by asc _time 
| filter aait != null