replace - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language replace() function that performs a substring replacement.

Syntax
replace (<field>, "<old_substring>", "<new_string>")
Description

The replace() function accepts a string field, and replaces all occurrences of a substring with a replacement string.

Examples

If '.exe' is present on the action_process_image_name field value, replace that substring with an empty string. This example uses the if and lowercase functions, as well as the contains operator to perform the conditional check.

dataset = xdr_data 
| fields action_process_image_name as apin 
| filter apin != null 
| alter remove_exe_process = if(lowercase(apin) contains ".exe",
                              replace(lowercase(apin),".exe",""),
                              lowercase(apin)) 
| limit 10

See also the ltrim, rtrim, trim function example.