row_number - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language row_number() numbering function that is used with a windowcomp stage.

Syntax
windowcomp row_number() [by <field> [,<field>,...]] [sort [asc|desc] <field1> [, [asc|desc] <field2>,...]] [as <alias>]
Description

The row_number() function is a numbering function that is used in combination with a windowcomp stage. This function is used to return a single value for the sequential row ordinal (1-based) for each row from a group of rows using a combination of the by clause and sort.

Example

Return a single value for the sequential row ordinal (1-based) for each row in the group of rows. The query returns a maximum of 100 xdr_data records. The results are ordered by the source_ip in ascending order in the row_number_dns_query_name column.

dataset = xdr_data                                                                                          
| limit 100                                                                      
| windowcomp row_number() sort source_ip as row_number_dns_query_name