Expected results when querying fields - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn what to expect in the query results when querying fields.

The following are returned when querying fields:

  • If specific fields are stated in the fields stage, those exact fields will be returned. 

  • If no fields are stated in the query, the xdm_core fieldset will be returned.

  • Unmapped fields are treated as NULL. An unmapped field is an xdm field that hasn't been mapped from the relevant datasets using a Data Model Rule.

  • By default, the _time system field will be added to all data model queries. Yet, the _time system field will not be added to queries that contain the comp stage.

  • For dataset queries, all current system fields will be returned, even if they are not stated in the query.

  • For UNION between XDM and dataset, each part of the UNION will return its own fields.

  • Each new column in the result set created by the alter stage will be added as the last column. You can specify a different column order by modifying the field order in the fields stage of the query.

  • Each new column in the result set created by the comp stage will be added as the last column. Other fields that are not in the group by / calculated column will be removed from the result set, including the core fields and _time system field.

  • When no limit is explicitly stated in a datamodel query, a maximum of 1000 results are returned (default). When this limit is applied to results using the limit stage, it will be indicated in the user interface.