ltrim, rtrim, trim - Learn more about the Cortex Query Language ltrim(), rtrim(), and trim() functions that remove trim_characters from a string. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-12-14
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language ltrim(), rtrim(), and trim() functions that remove trim_characters from a string.

Syntax
trim (<string>,[trim_characters])
rtrim (<string>,[trim_characters])
ltrim (<string>,[trim_characters])
Description

  • The trim() function removes all instances of the specified trim_characters defined in the second parameter of the function from the beginning and end of the string defined in the first parameter of the function.

  • The rtrim() function removes all instances of the specified trim_characters defined in the second parameter of the function from the end of the string defined in the first parameter of the function.

  • The ltrim() function removes all instances of the specified trim_characters defined in the second parameter of the function from the beginning of the string defined in the first parameter of the function.

Keep in mind the following important points before using these functions, where relevant examples are provided:

  • The specified trim_characters do not need to be in any order.

    Example 184. 

    Either of these yield the same result:

    rtrim("explorer.exe", ".ex")
    rtrim("explorer.exe", ".exe")
    rtrim("explorer.exe", "x.e")

    Output result:

    "explorer"

  • trim_characters don't support regular expressions or escape characters.

    Example 185. 
    ltrim("***a*aapple*", "*a")

    Output results:

    "pple*"

  • All occurrences of the trim_characters supplied are removed from left to right until it reaches a letter that is not part of the supplied letters.

    Example 186. 
    ltrim("hello world", "leh")

    Output results:

    "o world"

  • A space in the string can also be considered a character.

  • The ltrim(), rtrim(), and trim() functions are case sensitive unless there is an override.

    Example 187. 
    ltrim("***a*aapple*", "*A")

    Output results:

    "a*aapple*"

  • If you do not specify trim_characters, then whitespace (spaces and tabs) are removed.

    Example 188. 
    ltrim("  apple*")

    Output results:

    "apple*"

Examples

A complete query example, where the output results of each ltrim(), rtrim(), and trim() function is detailed in the comments.

config timeframe = 1w | dataset = xdr_data
| limit 1
| alter
    example_1 = rtrim("explorer.exe", "x.e"), // ---> "explorer"
    example_2 = ltrim("hello world", "leh"), // ---> "o world"
    example_3 = trim("  apple*  ", " "), // ---> "apple*"
    example_4 = ltrim("***a*aapple*", "*A") // ---> "a*aapple*"
| fields example*