Abstract
Learn more about the Cortex Query Language if() function that returns a result after evaluating a condition.
Syntax
if (<boolean_expression>, <true_return_expression>, <false_return_expression>)
Description
The if() function evaluates an expression. If the expression evaluates as true, the function returns the results of evaluating the second function argument. If the expression evaluates as false, the function returns the results of evaluating the third function argument.
Examples
If '.exe' is present on the action_process_image_name field value, replace that substring with an empty string. This example uses the replace and lowercase functions, as well as the contains operator to perform the conditional check.
dataset = xdr_data
| fields action_process_image_name as apin
| filter apin != null
| alter remove_exe_process =
if(lowercase(apin) contains ".exe", // boolean expression
replace(lowercase(apin),".exe",""), // return if true
lowercase(apin)) // return if false
| limit 10