Learn more about the Cortex Query Language target
stage that saves query results to a dataset or lookup dataset.
Syntax
target type=dataset|lookup [append=true|false] <dataset name>
Description
The target()
stage saves query results to a named dataset or lookup. These are persistent and can be used in subsequent queries. This stage must be the last stage specified in the query.
The type
argument defines the type of dataset to create, when a new one needs to be created. The following types are supported:
dataset
: A regular dataset of typeUSER
. Usedataset
if you are saving the query results for use in future queries.lookup
: A small lookup table with a 50MB limit. This lookup table can be used with parsing rules and downloaded as a JSON file. Uselookup
if you want to export the query results to a disk.
Optional Append
Use append
to define whether the data from the current query should be appended to the dataset (true
) or re-created as a new dataset (false
). If no append
is included, the default is false
. This means that after the query runs the data in an existing dataset is replaced with the new data.
Example 1
Save the results of a simple query to a named dataset.
dataset = xdr_data | fields action_boot_time as abt | filter abt != null | target type=dataset abt_dataset
Subsequently, you can query the new dataset. Notice that the field names used by the new dataset conform to the aliases that you used when you created the dataset:
dataset = abt_dataset | filter abt = 1603986614040
Example 2
The following example creates a dataset with the number of agents per country.
dataset = xdr_data | fields agent_id, action_country | comp count_distinct(agent_id) as count by action_country | target type=dataset append=false agents_per_country
This results in the following XQL JSON:
{ "tables": [ "xdr_data" ], "original_query": "\n dataset=xdr_data\n | fields agent_id, action_country \n | comp count_distinct(agent_id) as count by action_country\n | target type=dataset append=false agents_per_country\n ", "stages": [ { "FIELD_SELECT": { "fields": [ { "name": "agent_id", "as": None }, { "name": "action_country", "as": None } ], "exclude": [] } }, { "GROUP": { "aggregations": [ { "function": "count_distinct", "parameters": [ "$agent_id" ], "name": "count" } ], "key": [ "action_country" ] } } ], "output": [ { "TARGET": { "type": "dataset", "target": "agents_per_country", "append": False } } ] }