subtract - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2023-10-31
Last date published
2024-03-27
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language subtract() function that subtracts two integers.

Syntax

subtract (<string1> | <integer1>, <string2> | <integer2>)

Description

The subtract() function subtracts two positive integers by subtracting the second argument from the first argument. Parameters may be either integer literals, or integers as a string type such as might be contained in a data field.

Example

dataset = xdr_data 
| alter mynum = subtract(action_file_size, 3) 
| fields action_file_size, mynum 
| filter action_file_size > 3 
| limit 1