Learn more about the Cortex Query Language view stage that configures the display of the result set.
Syntax
view highlight fields = <field1>[,<field2>,...] values = <value1>[,<value2>,...]
view graph type = area | bubble |column | funnel | gauge | line | map | pie | scatter | single | wordcloud
xaxis = <field1>
yaxis = <field2> [<optional parameters>]Optional
seriesparameter:| view graph type = area | bubble | column | line | map | scatter xaxis = <field1> yaxis = <field2> [<optional parameters>] [series = <field3> [<optional parameters>] ]
view column order = default | populated
Description
The view() stage configures the display of the result set in the following ways:
highlight: Highlights specified strings that Cortex XSIAM finds on specified fields. The highlight values that you provide are performed as a substring search, so only partial value can be highlighted in the final results table.graph type: Creates anarea,bubble,column,funnel,gauge,line,map,pie,scatter,single, orwordcloudchart based on the values found for the fields specified in thexaxisandyaxisparameters. In this mode,viewalso offers a large number of parameters that allow you to control colors, decorations, and other behavior used for the final chart, where the options can differ depending on the type of graph selected. You can also define a graphsubtype, when setting thegraph typeto eithercolumnorpie.(Optional)
series: When creating anarea,bubble,column,line,map, orscatterchart, you can define aseriesparameter by specifying a field (column) to group chart results based on y-axis values. The series parameter is only supported when defining a single y-axis value.
You can also generate graphs and outputs of your query data directly in the Query Builder after running a Cortex Query Language (XQL) query in the Query Results tab without having to add the syntax in the query. For more information, see Graph query results.
Note
If you use
graph type, the fields specified forxaxisandyaxismust be collatable or the query will fail.column order: Enables you to list the query results by popularity, where the most non-null returned fields are displayed first using the syntaxview column order = populated. By default, ifcolumn orderis not defined (orview column order=default), the original column order is used.Note
This option does not apply to Cortex Query Language (XQL) queries in widgets, Correlation Rules, public APIs, reports, and dashboards. If you include the
view column ordersyntax in these types of queries, Cortex XSIAM disregards the stage from the query and completes the rest of the query.
Examples
Use the dedup stage collect unique combinations of event_type and event_sub_type values. Highlight the word "STREAM" when it appears in the result set.
dataset = xdr_data | fields event_type, event_sub_type | dedup event_type, event_sub_type by asc _time | view highlight fields = event_sub_type values = "STREAM"
Count the number of unique files accessed by each user, and show a column graph of the results, where the number of unique files are grouped by username. This query uses comp count_distinct to calculate the number of unique files per username.
dataset = xdr_data | fields actor_effective_username as username, action_file_path as file_path | filter file_path != null and username != null | comp count_distinct(file_path) as file_count by username | view graph type = column xaxis = username yaxis = file_count series = username
Count the number of unique files accessed by each user, and display the results by popularity according to the most non-null values returned fields. This query uses comp count_distinct to calculate the number of unique files per username.
dataset = xdr_data | fields actor_effective_username as username, action_file_path as file_path | filter file_path != null and username != null | comp count_distinct(file_path) as file_count by username | view column order = populated