Abstract
Learn more about the Cortex Query Language lag()
navigation function that is used with a windowcomp
stage.
Syntax
windowcomp lag(<field>) [by <field> [,<field>,...]] sort [asc|desc] <field1> [, [asc|desc] <field2>,...] [as <alias>]
Description
The lag()
function is a navigation function that is used in combination with a windowcomp stage. This function is used to return a single value of a field on a preceding row for each row in the group of rows using a combination of the by
clause and sort
(mandatory).
Example
Retrieve for each event the timestamp of the previous successful login since the last one.
preset = authentication_story | filter auth_identity not in (null, """""") and auth_outcome = """SUCCESS""" | alter ep = to_epoch(_time) | limit 100 | windowcomp lag(_time) by auth_identity sort asc ep as previous_login