rank - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-11-25
Category
Reference Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation/Cortex-XDR-XQL
Abstract

Learn more about the Cortex Query Language rank() numbering function that is used with a windowcomp stage.

Syntax

windowcomp rank() [by <field> [,<field>,...]] sort [asc|desc] <field1> [, [asc|desc] <field2>,...] [as <alias>]

Description

The rank() function is a numbering function that is used in combination with a windowcomp stage. This function is used to return a single value for the ordinal (1-based) rank for each row in the group of rows using a combination of the by clause and sort (mandatory).

Example

Return an average ranking for the avgerage CPU usage on metric_type=HOST. Allows you to see changes in the CPU usage compared to all hosts in the environment. The query returns a maximum of 100 it_metrics records. The results are ordered by ft in decending order in the rank column.

  dataset = it_metrics
| filter metric_type = HOST
| alter cpu_avg_str = to_string(cpu_avg)
| alter ft = date_floor(_time, "w")
| alter dt = date_floor(_time, "d")
| limit 100
| windowcomp rank() by ft sort desc cpu_avg_str as rank
| filter (agent_hostname contains $host_name)
| comp avg(rank) by dt