split - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-05-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language split() function that splits a string and returns an array of string parts.

Syntax

split (<value> [, <string_delimiter>])

Description

The split() function splits a string using an optional delimiter, and returns the resulting substrings in an array. If no delimiter is specified, a space (' ') is used.

Examples

Split IP addresses into an array, each element of the array containing an IP octet.

dataset = xdr_data 
| fields action_local_ip  as alii 
| alter ip_octets = split(alii, ".") 
| limit 10