Cortex Query Language comp values aggregate returns an array for all the values seen for the field in the result set.
Syntax
comp values(<field>) [as <alias>] by <field_1>,<field_2> [addrawdata = true|false as <target field>]
Description
The values aggregation is a comp function that returns an array of all the values found for a given field, for all records that contain matching values for the fields identified in the by clause. The array values are all non-null. Each value appears in the array only once, even if a given value repeats multiple times in the result set. You can also define a different name for the field, which is displayed in the results table, by setting an alias using the syntax as <alias>. An alias for the field is optional to configure.
In addition, you can configure whether the raw data events are displayed by setting addrawdata to either true or false (default), which are used to configure the final comp results. When including raw data events in your query, the query runs for up to 50 fields that you define and displays up to 100 events.
Examples
Return an array containing all the values seen for the action_total_download field for all records that have matching values for their actor_process_image_path and actor_process_command_line values. The query returns a maximum of 100 xdr_data records and includes a raw_data column listing the raw data events used to display the final comp results. In addition, this example contains a number of fields defined as aliases: actor_process_image_path uses the alias Process_Path, actor_process_command_line uses the alias Process_CMD, action_total_download uses the alias Download, and Download uses the alias values_download.
dataset = xdr_data | fields actor_process_image_path as Process_Path, actor_process_command_line as Process_CMD, action_total_download as Download | filter Download > 0 | limit 100 | comp values(Download) as values_download by Process_Path, Process_CMD addrawdata = true as raw_data