object_merge - Learn more about the Cortex Query Language object_merge() function. - Administrator Guide - Cortex XSIAM - Cortex

object_merge - Learn more about the Cortex Query Language object_merge() function. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-11-05

Syntax

object_merge(<obj1>, <obj2>, <obj3>, ...)

Description

The object_merge() function returns a new object, which is created from a merge of a number of objects. When there is a key name that is duplicated in any of the objects, the value in the new object is determined by the latter argument.

Example

Two objects are created and merged, where some key names are duplicated, including name, last_name, and age. Since the name value is the same for both objects, the same name is used in the new object. Yet, the last_name and age key values differ, so the values from the second object are used in the new object.

dataset = xdr_data
| alter
  obj1 = object_create("name", "jane", "last_name", "doe", "age", 33),
  obj2 = object_create("name", "jane", "last_name", "simon", "age", 34, "city", "new-york")
| alter result = object_merge(obj1, obj2)
| fields result

The function returns the following new object in the RESULT column of the results table:

{"name": "jane", "last_name": "simon", "age": 34, "city": "new-york"}