Useful XQL User Interface Features - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn about useful XQL query features in the user interface.

The user interface contains several useful features for querying data, and for viewing results:

  • XQL query—The XQL query field is where you define the parameters of your query. To help you create an effective XQL query, the search field provides suggestions and definitions as you type.

  • Translate to XQL— Converts your existing Splunk queries to the XQL syntax. When you enable Translate to XQL , both an SPL query field and an XQL query field are displayed. You can easily add a Splunk query, which is converted automatically into XQL in the XQL query field. This option is disabled by default.

  • Query Results—After you create and run an XQL query, you can view, filter, and visualize your Query Results.

  • XQL Helper—Describes common stage commands and provides examples that you can use to build a query.

  • Query Library—Contains common, predefined queries that you can use or modify to your liking. In addition, there is a Personal Query Library for saving and managing your own queries so that you can share with others, and queries can be shared with you.

  • Schema—Contains schema information for every field found in the result set. This information includes the field name, data type, descriptive text (if available), and the dataset that contains the field.

    • For dataset queries, it contains the list of all the fields of all the datasets that were involved in the query.

    • For data model queries, it contains the list of all the data model fields.