Learn more about the Cortex Query Language alter
stage.
Syntax
alter <field1> = <function value1> [, <field2> = <function value2>, ...]
Description
The alter
stage is used to change the values of an existing field (column) or to create a new field (column) based on constant values or existing fields (columns). The alter
stage does this by assigning a value to a field name based on the returned value of the specified function. The field does not have to be known to the dataset or preset schema that you are querying. Further, you can overwrite the current value for a known field using this stage.
After defining a field using the alter
stage, you can apply other stages, such as filtering, to the new field or field value.
Examples
Given three username fields, use the coalesce function to return a username value in the default_username
field, making sure to never have a default_username
that is root
.
dataset = xdr_data | fields actor_primary_username, os_actor_primary_username, causality_actor_primary_username | alter default_username = coalesce(actor_primary_username, os_actor_primary_username, causality_actor_primary_username) | filter default_username != "root"