Abstract
Learn more about the Cortex Query Language if()
function that returns a result after evaluating a condition.
Syntax
if (<boolean_expression>, <true_return_expression>, <false_return_expression>)
Description
The if()
function evaluates an expression. If the expression evaluates as true
, the function returns the results of evaluating the second function argument. If the expression evaluates as false
, the function returns the results of evaluating the third function argument.
Examples
If '.exe' is present on the action_process_image_name
field value, replace that substring with an empty string. This example uses the replace and lowercase functions, as well as the contains operator to perform the conditional check.
dataset = xdr_data | fields action_process_image_name as apin | filter apin != null | alter remove_exe_process = if(lowercase(apin) contains ".exe", // boolean expression replace(lowercase(apin),".exe",""), // return if true lowercase(apin)) // return if false | limit 10