Learn more about the Cortex Query Language filter stage that narrows down the displayed results.
Syntax
filter <boolean expr>Description
The filter stage identifies which data records should be returned by the query. Filters are boolean expressions that can use a wide range of functions and operators to express the filter. If a record matches the filter as the filter expression returns true when applied to the record, the record is returned in the query's result set.
The functions you can use with a filter are described in Functions. For a list of supported operators, see Supported operators.
Cortex XSIAM enables you to use single double quotes ("<text>") or triple double quotes ("""<text>""") when defining your XQL syntax for string manipulation. This specific syntax is used with different stages, functions, and operators, with or without wildcards. Typically, the alter and filter stages are used with single or triple double quotes.
Single double quotes ("<text>") include the following functionality:
Treats the string value literally.
Wildcards using the asterisk (*) are processed as XQL wildcards, and match any sequence of characters.
Escape sequences, such as
\n(new line) or\t(tab), are not processed and are treated as plain characters.
"\test\" means to look for \test\
Triple double quotes ("""<text>""") include the following functionality:
Enables regex-style pattern matching and escape sequence interpretation.
Escape sequences, such as
\n(new line) or\t(tab), are processed.Wildcards using the asterisk (*) are processed as XQL wildcards, and match any sequence of characters.
"""\\test\\""" means to look for \test\
Understanding the results:
The double backslashes (
\\) at the beginning becomes a single backlash (\) as it's processed as an escaped backslash.testis interpreted as literal.The double backslashes (
\\) at the end becomes a single backlash (\) as it's processed as an escaped backslash.
When using the filter stage, you can use both single ("<text>") and triple ("""<text>""") double quotes when specifying string values. The difference lies in how special characters and pattern matching are interpreted.
The examples provided are based on the following data table for a dataset called test_dataset:
_TIME | TEST |
|---|---|
Mar 26th 2022 19:26:07 | 12\t3 |
May 7th 2023 15:16:00 | 12 3 |
Jun 8th 2024 16:56:27 | 1233 |
Mar 26th 2024 19:26:07 | 123 |
Apr 5th 2024 11:21:02 | 12\t34563 |
Apr 9th 2025 13:22:22 | 1233345 |
May 9th 2025 13:22:22 | 12 35897 |
May 30th 2025 21:45:02 | 116 |
config timeframe = 10y | dataset = test_dataset | filter test = "12\t3*" | fields test
Output results table:
_TIME | TEST |
|---|---|
Mar 26th 2022 19:26:07 | 12\t3 |
Apr 5th 2024 11:21:02 | 12\t34563 |
Explanation of results:
The asterisk (*) in "12\t3*" means to process the string field as an XQL wildcard by matching any sequence of characters that begins with 12\t3. In addition, the \t characters are not processed as an escape character, but as plain characters.
config timeframe = 10y | dataset = test_dataset | filter test = """12\t3*""" | fields test
Output results table:
_TIME | TEST |
|---|---|
May 7th 2023 15:16:00 | 12 3 |
May 9th 2025 13:22:22 | 12 35897 |
Explanation of results:
The \t in """12\t3*""" is processed as a tab escape character. The asterisk (*) in """12\t3*""" means to process the string field as an XQL wildcard by matching any sequence of characters that begins with 12<tab>3.
Return xdr_data records where the event_type is NETWORK and the event_sub_type is NETWORK_HTTP_HEADER.
dataset = xdr_data | filter event_type = NETWORK and event_sub_type = NETWORK_HTTP_HEADER
Note
When adding filters to an XQL query, possible field values for enum fields are available using the auto-complete feature. Yet, the autocomplete can only show enum values that are known to the schema. In some cases, on data import an enum value is included that is not known to the defined schema. In this case, the value will appear in the result set as an unknown value, such as event_type_unknown_4. Be aware that even though this value appears in the result set, you cannot create a filter using it. For example, this query will fail, even if you know the value appears in your result set:
dataset = xdr_data | filter event_type = event_type_unknown_4
When using fields of type ENUM, the following syntax is supported:
Syntax format A
| filter event_type = ENUM.FILE
Syntax format B
| filter event_type = FILE
Return the XDM fields that are related to the xdm.source.* and xdm.email.* fields, where the xdm.source.user.username is newman.
datamodel dataset = xdr_data | filter xdm.source.user.username = "newman" | fields xdm.source.*, xdm.email.*
When using fields of type ENUM, you can map values from a predefined list of ENUMs. For example, the field xdm.network.ip_protocol is defined as Enum.IP_PROTOCOL, so you can assign it values such as XDM_CONST.IP_PROTOCOL_TCP. The full list can be found in the automatically suggested values for the relevant fields. This syntax is not mandatory.
datamodel dataset = xdr_data
| filter xdm.network.ip_protocol = XDM_CONST.IP_PROTOCOL_TCPFor more information on the XDM CONST fields, see the Cortex Data Model Schema Guide.
The Cortex Data Model (XDM) includes aliases. These are predefined sets of fields that can be used to simplify your filter. When the XDM_ALIAS keyword is added while writing a query, a list of available predefined aliases and a tooltip are displayed. The tooltip provides more details about the selected alias. The aliases support these Cortex Query Language (XQL) operators: comparison, string, and range.
For example, when you type this query to search the IPv4 field in the XDM,
datamodel dataset = xdr_data | filter XDM_ALIAS.ipv4 = "10.10.10.10"
the tooltip displays the fields that will be searched for the alias XDM_ALIAS.ipv4:
xdm.network.dchp.ciaddr, xdm.target.ipv4, xdm.network.dhcp.giaddr, xdm.source.ipv4, xdm.intermediate.ipv4, xdm.network.dhcp.yiaddr, xdm.network.dhcp.siaddr
The query above is the equivalent to the following syntax, which does not contain a predefined alias, and displays the rows that match the alias XDM_ALIAS.ipv4 equaling "10.10.10.10" at least once in the fields that make up the alias:
datamodel dataset = xdr_data
| filter xdm.network.dchp.ciaddr = "10.10.10.10"
or xdm.target.ipv4 = "10.10.10.10"
or xdm.network.dhcp.giaddr = "10.10.10.10"
or xdm.source.ipv4 = "10.10.10.10"
or xdm.intermediate.ipv4 = "10.10.10.10"
or xdm.network.dhcp.yiaddr = "10.10.10.10"
or xdm.network.dhcp.siaddr = "10.10.10.10"In this example, when you type this query to search the IPv4 field in the XDM,
datamodel dataset = xdr_data | filter XDM_ALIAS.ipv4 != "10.10.10.10"
the tooltip displays the fields that will be searched for the alias XDM_ALIAS.ipv4:
xdm.network.dchp.ciaddr, xdm.target.ipv4, xdm.network.dhcp.giaddr, xdm.source.ipv4, xdm.intermediate.ipv4, xdm.network.dhcp.yiaddr, xdm.network.dhcp.siaddr
The query above is the equivalent to the following syntax, which does not contain a predefined alias, and does not display any rows that match the alias XDM_ALIAS.ipv4 equaling "10.10.10.10" at least once in the fields that make up the alias:
datamodel dataset = xdr_data
| filter xdm.network.dchp.ciaddr != "10.10.10.10"
and xdm.target.ipv4 != "10.10.10.10"
and xdm.network.dhcp.giaddr != "10.10.10.10"
and xdm.source.ipv4 != "10.10.10.10"
and xdm.intermediate.ipv4 != "10.10.10.10"
and xdm.network.dhcp.yiaddr != "10.10.10.10"
and xdm.network.dhcp.siaddr != "10.10.10.10"