replacenull - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language replacenull stage that replaces null field values with a text string.

Syntax
replacenull <field> = <text string>
Description

The replacenull stage replaces null field values with the specified text string. This guarantees that every field in your result set will contain a value.

If you use the replacenull stage, then all subsequent stages that refer to the field's null value must use the replacement text string.

Examples

Return the action_country field from every xdr_data records where the action_country field is null, using the text string N/A in the place of an empty field value.

dataset = xdr_data 
| fields action_country as ac 
| replacenull ac = "N/A" 
| filter ac = "N/A"