Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support
help

Versions of this Page

  • Knowledge Base
    • Troubleshooting Articles
      • Troubleshooting: ANSI Escape Codes Trigger a Warning
      • Troubleshooting: Beats and Logstash Log Shippers 7.13 and higher No Longer Work with LogScale
      • Troubleshooting: Beats Fails to Send Logs due to Filename Issues
      • Troubleshooting: Build too Recent After Upgrade
      • Troubleshooting: Disks Filling Up
      • Troubleshooting: Elastic API Port numbers
      • Troubleshooting: Error Starting LogScale due to Exec permissions on /tmp
      • Troubleshooting: Error: The Cluster ID ### doesn't match stored clusterId (###)
      • Troubleshooting: Event Grid Flickering
      • Troubleshooting: IP Access for Actions or Notifiers
      • Troubleshooting: LogScale User Interface is Slow
      • Troubleshooting: MaxMind IP Location DB Not Updating
      • Troubleshooting: Menu Item Missing
      • Troubleshooting: Queries fail after Upgrading Beats Log Shippers
      • Troubleshooting: UI Warning: The actual value is different from what is displayed
      • Troubleshooting: Using Non-OSS Beats Elastic API Causes Errors
      • Troubleshooting: Whitelisting Four-letter Commands in ZooKeeper
    • Best Practice Articles
      • Best Practice: Add a count() to groupBy() results when using collect()
      • Best Practice: Add additional fields to groupBy() results
      • Best Practice: Adding comments in query syntax
      • Best Practice: Adding hyperlinks to search output
      • Best Practice: Aggregations using field list shortcuts
      • Best Practice: Choosing a Log Shipper
      • Best Practice: Comparing Repos and Views
      • Best Practice: Contacting Support
      • Best Practice: Create a fixed-width column using format()
      • Best Practice: Create a stacked bar chart over time
      • Best Practice: Creating dynamic text boxes in queries
      • Best Practice: Does it matter (for performance reasons) where a tagged field search occurs in a query?
      • Best Practice: Estimating Local Disk Threshold
      • Best Practice: Format query output using groupBy()
      • Best Practice: Formatting query output using select()
      • Best Practice: Get Markdown URLs to display as URLs instead of strings when using groupBy()
      • Best Practice: Leveraging saved queries as functions
      • Best Practice: Log Collector Resiliency and Monitoring
      • Best Practice: Omit _decimal and _readable dangling modifiers
      • Best Practice: Optimizing string and regular expression (regex) search performance
      • Best Practice: Query Monitoring- Blocking and Termination
      • Best Practice: Regular Expressions (regex)
      • Best Practice: Regular Expressions and their Pitfalls
      • Best Practice: Remove decimal place from timestamp field and convert to human-readable time
      • Best Practice: Tab to complete queries
      • Best Practice: Tags and Datasources
      • Best Practice: Upgrading a LogScale Cluster
      • Best Practice: Using case statements
      • Best Practice: Using match statements
      • Best Practice: Using regular expressions for field extractions and matching
      • Best Practice: Using Tags in Queries
      • Best Practice: Using the assignment operator
      • Best Practice: Using widget visualizations
      • Best Practice: Watch out for the hashtag on #event_simpleName and #cid
    • How-To Articles
      • How-To: Add a Dynamic URL to Query Results
      • How-To: Add a single field to groupBy() results
      • How-To: Add ComputerName or UserName to Falcon search results
      • How-To: Add Lines to a Query
      • How-To: Add Users and Groups to a Repo using GraphQL
      • How-To: Assign or Create a Dynamic Field
      • How-To: Block Queries using GraphQL
      • How-To: Case-Insensitive Searches
      • How-To: Compare the Last 31-60 days to the Previous 30 Days
      • How-To: Configuring a Standalone Installation to Start at Boot
      • How-To: Create a Dashboard through GraphQL
      • How-To: Create a Scheduled Search using GraphQL
      • How-To: Create a shorthand process lineage in the field processLineage
      • How-To: Create case-insensitive user input
      • How-To: Deduplicating Compound Fields
      • How-To: Delete Data in Bulk
      • How-To: Determining Non-query Download of Bucket Segments
      • How-To: Downgrading LogScale Collector from Version 1.8.1 to 1.7.x
      • How-To: Edit schedule and timestamp in scheduled searches
      • How-To: Exclude RFC1819 and Non-Routable IP Addresses
      • How-To: Executing Queries from Powershell and Bash
      • How-To: Export a List of Users
      • How-To: Get the first and last event of a groupBy() query
      • How-To: Getting unsupported fields for collect()
      • How-To: Handling Empty or Null Values
      • How-To: How to Configure CrowdStream LogScale Destination
      • How-To: Manage Users using GraphQL
      • How-To: Managing timestamps
      • How-To: Migrating from server.jar to Launcher Startup
      • How-To: Migrating Kafka to humio-core Deployment
      • How-To: O365 Event Ingest into LogScale via Microsoft Graph (using pre-defined CrowdStream O365 Activity/Services)
      • How-To: On Correlating Events
      • How-To: Parse Log Lines into Fields with Regex
      • How-To: Parse Unix Timestamps
      • How-To: Pass a groupBy() result to timechart()
      • How-To: Pass Two Averages to a Timechart
      • How-To: Redacting Data from a Repository
      • How-To: Reformat a JSON Array using parseJson()
      • How-To: Return More than 200 Matching Events in a Query
      • How-To: Round a Number by Two Decimal Places
      • How-To: Search for Domain Indicators of Compromise (IOC) Across a Data Set Using lower()
      • How-To: Search for IP Indicators of Compromise (IoC) Across a Data Set
      • How-To: Search for URL Indicators of Compromise (IoC) Across a Data Set
      • How-To: Sorting by Timestamps within groupBy()
      • How-To: Sorting Exported Data
      • How-To: Split a Single Event into Multiple Events
      • How-To: Stop Running Queries using GraphQL
      • How-To: Upgrading from Non-OSS to OSS Beats Log Shippers
      • How-To: Use Conditional Expressions
      • How-To: Using Tag Grouping
      • How-To: Write a query supporting a case-insensitive dashboard parameter?
    • Questions
      • FAQ: Are shared secret URLs safe?
      • FAQ: Can I run LogScale on IPv6-only, IPv4-only or both?
      • FAQ: Can I send multiline events to LogScale?
      • FAQ: Can I set the license key using the API?
      • FAQ: Can I use multiple files with match()
      • FAQ: Does LogScale integrate with any notification systems?
      • FAQ: Errors are raised when data is ingested with Timestamps in the Future
      • FAQ: File Locations for Key LogScale Data
      • FAQ: How are timezones handled when sharing queries with people in different timezones?
      • FAQ: How do I complete a regex() extraction without filtering data?
      • FAQ: How do I concatenate two fields into a new single field?
      • FAQ: How do I convert a decimal value to a hexadecimal value?
      • FAQ: How do I convert decimal values to hexadecimal values?
      • FAQ: How do I create concatenated, formatted fields?
      • FAQ: How do I detect when a host (log source) stops sending logs?
      • FAQ: How do I do a join() statement?
      • FAQ: How do I extract an IP Address from the CommandLine field?
      • FAQ: How do I format a number to two decimal places?
      • FAQ: How do I get dashboard widgets to respect the time range selection of the dashboard?
      • FAQ: How do I get GeoIP data for RDP user logins and place them on a World Map with magnitude?
      • FAQ: How do I get GeoIP data for the aip field?
      • FAQ: How do I interpret and format timestamps in a specific timezone?
      • FAQ: How do I omit RFC-1819 addresses from my search results?
      • FAQ: How do I place latitude and longitude on a world map?
      • FAQ: How do I query a single field for multiple values?
      • FAQ: How do I replace UserIsAdmin decimal values with human-readable values?
      • FAQ: How do I set a default field value?
      • FAQ: How do I trim the length of a field string?
      • FAQ: How do I use test() to do field evaluations?
      • FAQ: How do time zones work in LogScale?
      • FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts
      • FAQ: How is LogScale Responding to the Log4j Log4Shell Vulnerability
      • FAQ: Input Locked to Search Field when using Tab
      • FAQ: Is LogScale cloud only, or is it possible to use LogScale as a self-cloud solution?
      • FAQ: Is LogScale container ready?
      • FAQ: Organization Transfer
      • FAQ: Understanding LogScale Log Error Levels
      • FAQ: Understanding the Query State Size
      • FAQ: Using LOCAL_STORAGE_PERCENTAGE Disk Fills Past Configured Limit
      • FAQ: Version Upgrade Compatibility
      • FAQ: What are the effects of changing the settings of a throttled alert
      • FAQ: What common log shipping solutions does LogScale use?
      • FAQ: What is the difference between syslog and rsyslog?
      • FAQ: What is the Query Cache?
      • FAQ: What is timezone=Z
      • FAQ: Why does my Bucket Storage Size indicate larger value than LogScale UI
      • FAQ: Why not make a separate user for wall monitors?
    • Use Cases
      • Use Case: A Better Parser with Kubernetes & LogScale
      • Use Case: Advanced Log Routing with Fluent Bit
      • Use Case: Collecting AWS S3 Logs with LogScale & FluentD
      • Use Case: Comparing Averages over Search Intervals
      • Use Case: Hashing, Masking, and Anonymizing Sensitive Data
      • Use Case: Ingesting Application Logs
      • Use Case: Integrating LogScale with Grafana
      • Use Case: Log Management
      • Use Case: Migrating from Elastic Stack
      • Use Case: Migrating from Helm Chart to Operator
      • Use Case: Running LogScale on Kubernetes
      • Use Case: SentinelOne Audit Events
      • Use Case: Webhooks Shell Scripts
Falcon LogScale Documentation
/ Knowledge Base

Use Cases

Use cases and example deployments.

  • A Better Parser with Kubernetes & LogScale

  • Advanced Log Routing with Fluent Bit

  • Collecting AWS S3 Logs with LogScale & FluentD

  • Comparing Averages over Search Intervals

  • Hashing, Masking, and Anonymizing Sensitive Data

  • Ingesting Application Logs

  • Integrating LogScale with Grafana

  • Log Management

  • Migrating from Elastic Stack

  • Migrating from Helm Chart to Operator

  • Running LogScale on Kubernetes

  • SentinelOne Audit Events

  • Webhooks Shell Scripts

Support
  • Twitter
  • Facebook
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

Children of this Page

Use Case: A Better Parser with Kubernetes & LogScale
Use Case: Advanced Log Routing with Fluent Bit
Use Case: Collecting AWS S3 Logs with LogScale & FluentD
Use Case: Comparing Averages over Search Intervals
Use Case: Hashing, Masking, and Anonymizing Sensitive Data
Use Case: Ingesting Application Logs
Use Case: Integrating LogScale with Grafana
Use Case: Log Management
Use Case: Migrating from Elastic Stack
Use Case: Migrating from Helm Chart to Operator
Use Case: Running LogScale on Kubernetes
Use Case: SentinelOne Audit Events
Use Case: Webhooks Shell Scripts

Enter search term

OSZAR »