coalesce - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference
Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-04-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language coalesce() function that returns the first value that is not null from a defined list of fields.

Syntax

coalesce (<field_1>, <field_2>,...<field_n>)

Description

The coalesce() function takes an arbitrary number of arguments and returns the first value that is not NULL.

Example

Given a list of fields that contain usernames, select the first one that is not null and display it in the username column.

dataset = xdr_data 
| fields actor_primary_username,
       os_actor_primary_username,
       causality_actor_primary_username 
| alter username = coalesce(actor_primary_username,
                          os_actor_primary_username,
                          causality_actor_primary_username)