Query for Datasource and related cases

T.Nurmi — Thu, 08 Jan 2026 10:58:17 GMT

Hi.

I try to create report for different datasource which create Cases or issues. i got error > Aggregation by original_tags field of type array is unsupported. when i try to use COMP with original_tags

Here is example what i try to do > | filter (`resolution_status` in (RESOLVED_FALSE_POSITIVE, RESOLVED_TRUE_POSITIVE))
//| filter (`resolution_status` in (RESOLVED_FALSE_POSITIVE, RESOLVED_TRUE_POSITIVE) and `original_tags` contains """DS:PANW/*/""")
| filter (`original_tags` contains """DS:""")

Re: Query for Datasource and related cases

susekar — Thu, 08 Jan 2026 15:04:50 GMT

Hello @T.Nurmi ,

Greetings for the day!

The error message Aggregation by original_tags field of type array is unsupported occurs because the original_tags field is stored as an array (a list of values), and the XQL comp (aggregate) stage cannot directly group data by an array object. This field captures the state of tags at the time of alert/incident creation.

To resolve this and successfully use comp with original_tags, you must first flatten the array into individual rows using the arrayexpand stage.

Recommended Solution

Insert the | arrayexpand original_tags command before your comp stage. This breaks the list of tags into separate records, allowing the aggregation engine to process each tag individually.

Updated Query Example:

dataset = incidents // or alerts
| filter resolution_status in (RESOLVED_FALSE_POSITIVE, RESOLVED_TRUE_POSITIVE)
| arrayexpand original_tags
| filter original_tags contains "DS:"
| comp count() as total_incidents by original_tags

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New Year!!

Thanks & Regards,
S. Subashkar Sekar

topic Re: Query for Datasource and related cases in Cortex XDR Discussions

Query for Datasource and related cases

Re: Query for Datasource and related cases

Recommended Solution