Abstract
Learn more about the Cortex Query Language row_number()
numbering function that is used with a windowcomp
stage.
Syntax
windowcomp row_number() [by <field> [,<field>,...]] [sort [asc|desc] <field1> [, [asc|desc] <field2>,...]] [as <alias>]
Description
The row_number()
function is a numbering function that is used in combination with a windowcomp stage. This function is used to return a single value for the sequential row ordinal (1-based) for each row from a group of rows using a combination of the by
clause and sort
.
Example
Return a single value for the sequential row ordinal (1-based) for each row in the group of rows. The query returns a maximum of 100 xdr_data
records. The results are ordered by the source_ip
in ascending order in the row_number_dns_query_name
column.
dataset = xdr_data | limit 100 | windowcomp row_number() sort source_ip as row_number_dns_query_name