Learn more about the Cortex Query Language count
aggregate comp function that counts the total number of values for a field in the result set.
Syntax
comp count(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata = true|false as <target field>]
Description
The count
aggregation is a comp function that returns a count of the number of values found for a field, for all records that contain matching values for the fields identified in the by
clause.
In addition, you can configure whether the raw data events are displayed by setting addrawdata
to either true
or false
(default), which are used to configure the final comp
results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.
Use count_distinct to retrieve the number of unique values in the result set.
Example
Return a count of all values seen for the actor_process_image_path
field for all records that have matching values for their actor_process_image_path
and actor_process_command_line
values. The query returns a maximum of 100 xdr_data
records and includes a raw_data
column listing the raw data events used to display the final comp results.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | limit 100 | comp count(Process_Path) as num_process_path by process_path, process_cmd addrawdata = true as raw_data | sort desc process_path