top - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language top stage that returns the approximate count of top elements for a field and percentage of the count results.

Note

This stage is unsupported with Correlation Rules.

Syntax
top <integer> <field> [by <field1> ,<field2>...] [top_count as <column name>, top_percent as <column name>]
Description

The top stage returns the approximate count of top elements for a given field and the percentage of the count results relative to the total number of values for the designated field. Use this top stage to produce approximate results, which are more scalable in terms of memory usage and time.

The <integer> in the syntax represents the number of top elements to return. If a number is not specified, up to 10 elements are returned by default. The approximate count is listed in the results table in a column called TOP_COUNT and the percentage in a column called TOP_PERCENT. You can update the column names for both tables by defining top_count as <column name> , top_percent as <column name> in the syntax. If you only define one column name to update in the syntax, the results table displays that column without displaying the other column.

Examples

Returns a table with 3 columns called EVENT_ID, TOP_COUNT, and TOP_PERCENT with up to 10 unique values for event_id with the corresponding counts and percentages.

dataset = xdr_data 
| top event_id

Returns a table with 3 columns called ACTION_COUNTRY, EVENT_ID, and TOTAL with a single unique value for the event_id for each action_country with the corresponding count in the TOTAL column.

dataset = xdr_data 
| top 1 event_id by action_country top_count as total