row_number - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-10-06
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language row_number() numbering function that is used with a windowcomp stage.

Syntax

windowcomp row_number() [by <field> [,<field>,...]] [sort [asc|desc] <field1> [, [asc|desc] <field2>,...]] [as <alias>]

Description

The row_number() function is a numbering function that is used in combination with a windowcomp stage. This function is used to return a single value for the sequential row ordinal (1-based) for each row from a group of rows using a combination of the by clause and sort.

Example

Return a single value for the sequential row ordinal (1-based) for each row in the group of rows. The query returns a maximum of 100 xdr_data records. The results are ordered by the source_ip in ascending order in the row_number_dns_query_name column.

dataset = xdr_data                                                                                          
| limit 100                                                                      
| windowcomp row_number() sort source_ip as row_number_dns_query_name