coalesce - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language coalesce() function that returns the first value that is not null from a defined list of fields.

Syntax
coalesce (<field_1>, <field_2>,...<field_n>)
Description

The coalesce() function takes an arbitrary number of arguments and returns the first value that is not NULL.

Example

Given a list of fields that contain usernames, select the first one that is not null and display it in the username column.

dataset = xdr_data 
| fields actor_primary_username,
       os_actor_primary_username,
       causality_actor_primary_username 
| alter username = coalesce(actor_primary_username,
                          os_actor_primary_username,
                          causality_actor_primary_username)