rank - Learn more about the Cortex Query Language rank() numbering function that is used with a windowcomp stage. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-12-11
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language rank() numbering function that is used with a windowcomp stage.

Syntax
windowcomp rank() [by <field> [,<field>,...]] sort [asc|desc] <field1> [, [asc|desc] <field2>,...] [as <alias>]
Description

The rank() function is a numbering function that is used in combination with a windowcomp stage. This function is used to return a single value for the ordinal (1-based) rank for each row in the group of rows using a combination of the by clause and sort (mandatory).

Example

Return an average ranking for the avgerage CPU usage on metric_type=HOST. Allows you to see changes in the CPU usage compared to all hosts in the environment. The query returns a maximum of 100 it_metrics records. The results are ordered by ft in decending order in the rank column.

  dataset = it_metrics
| filter metric_type = HOST
| alter cpu_avg_str = to_string(cpu_avg)
| alter ft = date_floor(_time, "w")
| alter dt = date_floor(_time, "d")
| limit 100
| windowcomp rank() by ft sort desc cpu_avg_str as rank
| filter (agent_hostname contains $host_name)
| comp avg(rank) by dt