row_number - Learn more about the Cortex Query Language row_number() numbering function that is used with a windowcomp stage. - Administrator Guide - Cortex XSIAM - Cortex

row_number - Learn more about the Cortex Query Language row_number() numbering function that is used with a windowcomp stage. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2026-02-05

Syntax

windowcomp row_number() [by <field> [,<field>,...]] [sort [asc|desc] <field1> [, [asc|desc] <field2>,...]] [as <alias>]

Description

The row_number() function is a numbering function that is used in combination with a windowcomp stage. This function is used to return a single value for the sequential row ordinal (1-based) for each row from a group of rows using a combination of the by clause and sort.

Example

Return a single value for the sequential row ordinal (1-based) for each row in the group of rows. The query returns a maximum of 100 xdr_data records. The results are ordered by the source_ip in ascending order in the row_number_dns_query_name column.

dataset = xdr_data                                                                                          
| limit 100                                                                      
| windowcomp row_number() sort source_ip as row_number_dns_query_name