Learn more about the Cortex Query Language alter stage.
Review the following topic:
Syntax
alter <field1> = <function value1> [, <field2> = <function value2>, ...]
Description
The alter stage is used to change the values of an existing field (column) or to create a new field (column) based on constant values or existing fields (columns). The alter stage does this by assigning a value to a field name based on the returned value of the specified function. The field does not have to be known to the dataset or preset schema that you are querying. Further, you can overwrite the current value for a known field using this stage.
After defining a field using the alter stage, you can apply other stages, such as filtering, to the new field or field value.
Examples
Given three username fields, use the coalesce function to return a username value in the default_username field, making sure to never have a default_username that is root.
dataset = xdr_data
| fields actor_primary_username,
os_actor_primary_username,
causality_actor_primary_username
| alter default_username = coalesce(actor_primary_username,
os_actor_primary_username,
causality_actor_primary_username)
| filter default_username != "root"