count_distinct - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2023-10-31
Last date published
2024-03-27
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language count_distinct aggregate comp function that counts the number of unique values found for a field in the result set.

Syntax
comp count_distinct(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata= true|false as <target field>]
Description

The count_distinct aggregation is a comp function that returns a count of the number of unique values found for a field, for all records that contain matching values for the fields identified in the by clause.

In addition, you can configure whether the raw data events are displayed by setting addrawdata to either true or false (default), which are used to configure the final comp results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.

Use count to retrieve the total number of values in the result set.

Examples
dataset = xdr_data
| fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download
| filter Download > 0
| limit 100
| comp count_distinct(Process_Path) as num_process_path by process_path, process_cmd addrawdata = true as raw_data
| sort desc process_path