Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support
help

Versions of this Page

    • Data Analysis Overview
    • LogScale User Interface
      • Managing Your Account
    • Repositories & Views
      • Create Repository or View
      • Repository and View Settings
      • Falcon LTR Repositories
      • Lookup Files
      • Delete Repositories & Views
    • Parsing Data
      • Built-in Parsers
      • Creating a Parser
          • Normalize and Validate Against CPS Schema
      • Ingest Tokens
      • Parser Errors
      • Removing Fields
      • Event Tags
      • Parsing Timestamps
    • Searching Data
      • Query Editor
      • Event Fields
      • Display Fields
      • Select & Filter
      • Adding & Removing Fields
      • Display Results and Events
      • Inspect Events
      • Show in Context
      • Format Columns
      • Column Properties
      • Field Data Types
      • Field Interactions
      • Different Visuals
      • Highlight Filter Match
      • Change Time Interval
      • Set Time Zone
      • Save Searches
      • Export Data
      • Search Status
      • Event List Interactions
      • Field Aliasing
        • Configuring Field Aliasing
        • Managing Field Aliasing
        • Searching with Field Aliasing
        • Understanding Field Mapping Requirements
        • Understanding Schema Requirements
    • Writing Queries
      • Basic Query Principles
      • Managing Queries
      • Common Queries
      • Writing Better Queries
      • Query Readability & Better Usage
      • Example Queries
    • Query Language Syntax
      • Comments
      • Field Names
      • Query Filters
      • Operators
      • Adding Fields
      • User Parameters/Variables
      • Conditional Evaluation
      • Array Syntax
      • Expressions
      • Function Syntax
      • Time Syntax
        • Supported Time Zones
        • Relative Time Syntax
      • Regular Expression Syntax
        • Regular Expression Syntax Patterns
        • Unsupported Regular Expression Patterns
        • Regular Expression Flags
        • Differences from Other Regex Implementations
    • Query Functions
      • Aggregate Query Functions
      • Array Query Functions
      • Comparison Query Functions
      • Conditional Query Functions
      • Event & Data Manipulation Query Functions
      • Filtering Query Functions
      • Formatting Query Functions
      • Geolocation Query Functions
      • Hash Query Functions
      • Join Query Functions
      • Math Query Functions
      • Network & Location Query Functions
      • Parsing Query Functions
      • Preamble Query Functions
      • Regular Expression Query Functions
      • Security Query Functions
      • Statistics Query Functions
      • String Query Functions
      • Time & Date Query Functions
      • Widget Query Functions
      • array:contains()
      • array:eval()
      • array:filter()
      • array:intersection()
      • array:length()
      • array:reduceAll()
      • array:reduceColumn()
      • array:reduceRow()
      • array:regex()
      • array:union()
      • asn()
      • avg()
      • base64Decode()
      • beta:param()
      • beta:repeating()
      • bitfield:extractFlags()
      • bucket()
      • callFunction()
      • cidr()
      • coalesce()
      • collect()
      • communityId()
      • concat()
      • concatArray()
      • copyEvent()
      • count()
      • counterAsRate()
      • createEvents()
      • crypto:md5()
      • default()
      • drop()
      • dropEvent()
      • duration()
      • end()
      • eval()
      • eventFieldCount()
      • eventInternals()
      • eventSize()
      • fieldset()
      • fieldstats()
      • findTimestamp()
      • format()
      • formatDuration()
      • formatTime()
      • geography:distance()
      • geohash()
      • getField()
      • groupBy()
      • hash()
      • hashMatch()
      • hashRewrite()
      • head()
      • if()
      • in()
      • ioc:lookup()
      • ipLocation()
      • join()
      • json:prettyPrint()
      • kvParse()
      • length()
      • linReg()
      • lower()
      • lowercase()
      • match()
      • math:abs()
      • math:arccos()
      • math:arcsin()
      • math:arctan()
      • math:arctan2()
      • math:ceil()
      • math:cos()
      • math:cosh()
      • math:deg2rad()
      • math:exp()
      • math:expm1()
      • math:floor()
      • math:log()
      • math:log10()
      • math:log1p()
      • math:log2()
      • math:mod()
      • math:pow()
      • math:rad2deg()
      • math:sin()
      • math:sinh()
      • math:spherical2cartesian()
      • math:sqrt()
      • math:tan()
      • math:tanh()
      • max()
      • min()
      • now()
      • parseCEF()
      • parseCsv()
      • parseFixedWidth()
      • parseHexString()
      • parseInt()
      • parseJson()
      • parseLEEF()
      • parseTimestamp()
      • parseUri()
      • parseUrl()
      • parseXml()
      • percentile()
      • range()
      • rdns()
      • readFile()
      • regex()
      • rename()
      • replace()
      • round()
      • sample()
      • sankey()
      • select()
      • selectFromMax()
      • selectFromMin()
      • selectLast()
      • selfJoin()
      • selfJoinFilter()
      • series()
      • session()
      • setField()
      • shannonEntropy()
      • sort()
      • split()
      • splitString()
      • start()
      • stats()
      • stdDev()
      • stripAnsiCodes()
      • subnet()
      • sum()
      • table()
      • tail()
      • test()
      • time:dayOfMonth()
      • time:dayOfWeek()
      • time:dayOfWeekName()
      • time:dayOfYear()
      • time:hour()
      • time:millisecond()
      • time:minute()
      • time:month()
      • time:monthName()
      • time:second()
      • time:weekOfYear()
      • time:year()
      • timeChart()
      • tokenHash()
      • top()
      • transpose()
      • unit:convert()
      • upper()
      • urlDecode()
      • urlEncode()
      • wildcard()
      • window()
      • worldMap()
      • writeJson()
      • xml:prettyPrint()
    • Dashboards & Widgets
      • Create Dashboards and Widgets
      • Manage Widgets
      • Manage Dashboards
      • Edit Dashboards
      • Organize Information on Dashboards
      • Manage Dashboard Parameters
      • Manage Dashboard Interactions
      • Export Dashboards as PDF
        • PDF Export Options
      • Widgets
        • Bar Chart Widget
        • Event List Widget
        • Gauge Widget
        • Heat Map Widget
        • Note Widget
        • Parameter Panel Widget
        • Pie Chart Widget
        • Sankey Diagram Widget
        • Scatter Chart Widget
        • Single Value Widget
        • Table Widget
        • Time Chart Widget
        • World Map Widget
        • Embedding iFrame Widgets
    • Automation
      • Alerts
        • Filter Alerts
        • Standard Alerts
        • Alert Activities
        • Creating Alerts
        • Managing Alerts
        • Editing an Alert
        • Setting Alert Throttle Period
        • Sending Aggregate Results to Actions
        • Monitoring Alerts
        • Diagnosing Alerts
          • Errors when Using Live join() Functions
          • Monitor Alerts with humio-activity Repository
            • Alert Raw Event Example
              • Filter alert errors and solutions
              • Legacy alert errors and solutions
      • Scheduled Searches
        • Creating a Scheduled Search
        • Spacing Out Searches
        • Scheduled Search Errors and Resolutions
      • Scheduled PDF Reports
        • Scheduled Reports Security
          • Creating a Scheduled PDF Role using the UI
        • Managing Scheduled Reports
        • Creating Scheduled Reports
        • Editing Scheduled Reports
        • Limitations
        • Scheduled Reports Errors and Resolutions
      • Cron Schedule Templates
      • Actions
        • Creating Actions
        • Managing Actions
        • Action Type: Email
        • Action Type: Falcon LogScale Repository
        • Action Type: OpsGenie
        • Action Type: PagerDuty
        • Action Type: Slack
        • Action Type: Upload File
        • Action Type: VictorOps (Splunk On-Call)
        • Action Type: Webhooks
        • Message Templates and Variables
    • Template Language
      • Template Expressions
      • Template Variable Types
      • Template Examples
    • Keyboard Shortcuts
Falcon LogScale Documentation
/ Data Analysis 1.137.0-1.142.4
/ Searching Data

Query Editor

The data stored in a repository can be searched by entering items and queries in the Query Editor available from the Search page.

A Data Search

Figure 54. A Data Search


The Query editor allows for robust, fast regex searches of server logs and metrics in your repositories and provides an editing environment where you can write your query. The Query editor is fully editable and you can enter single and multiple-line queries.

To create a new line, use Shift+Enter.

Tip

If you have used Tab to reach the search box, you may find that you cannot use Tab to tab out again, as Tab is a valid way of entering text within the box. To get out of the search box using only the keyboard, either use Alt+Tab, or you can change the way the browser captures the Tab key by using Ctrl+M on Windows or Ctrl+Shift+M to toggle between capturing or ignoring the Tab key.

The Search functionality in LogScale is very powerful and searches can range from quite simple to very complex, leveraging the CrowdStrike Query Language Syntax.

For more information on how to write queries and use query functions and aggregates, see Writing Queries.

Support
  • Twitter
  • Facebook
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

  • Related KB Articles

    • Troubleshooting: ANSI Escape Codes Trigger a Warning
    • FAQ: Input Locked to Search Field when using Tab

Enter search term

OSZAR »