subtract - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language subtract() function that subtracts two integers.

Syntax
subtract (<string1> | <integer1>, <string2> | <integer2>)
Description

The subtract() function subtracts two positive integers by subtracting the second argument from the first argument. Parameters may be either integer literals, or integers as a string type such as might be contained in a data field.

Example
dataset = xdr_data 
| alter mynum = subtract(action_file_size, 3) 
| fields action_file_size, mynum 
| filter action_file_size > 3 
| limit 1