last_value - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language last_value() navigation function that is used with a windowcomp stage.

Syntax
windowcomp last_value(<field>) [by <field> [,<field>,...]] sort [asc|desc] <field1> [, [asc|desc] <field2>,...] [between 0|null|<number>|-<number> [and 0|null|<number>|-<number>] [frame_type=range]] [as <alias>]
Description

The last_value() function is a navigation function that is used in combination with a windowcomp stage. This function is used to return a single value of a field for the last row of each row in the group of rows in the current window frame, for all records that contain matching values for the fields identified using a combination of the by clause, sort (mandatory), and between window frame clause.

Example

Return the last IP address a user authenticated from successfully.

preset = authentication_story
| filter auth_identity not in (null, """""") and auth_outcome = """SUCCESS""" and action_country != UNKNOWN
| alter et = to_epoch(_time), t = _time
| bin t span = 1d
| limit 100
| windowcomp last_value(action_local_ip) by auth_identity, t sort asc et between null and null as first_action_local_ip
| fields auth_identity , *action_local_ip