split - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language split() function that splits a string and returns an array of string parts.

Syntax
split (<value> [, <string_delimiter>])
Description

The split() function splits a string using an optional delimiter, and returns the resulting substrings in an array. If no delimiter is specified, a space (' ') is used.

Examples

Split IP addresses into an array, each element of the array containing an IP octet.

dataset = xdr_data 
| fields action_local_ip  as alii 
| alter ip_octets = split(alii, ".") 
| limit 10