Search terms / freetext
Field filters
Common fields (click to insert)
Sort by
Result limit
results
Aggregation
Table output fields (comma-separated)
Raw query editor
event_simpleName reference — click any row to insert into the raw editor
| event_simpleName | Category | Description & key fields |
|---|
Operators & syntax quick reference
Comparison operators
=equals (case-insensitive)
!=not equals
> / <greater / less than
=*wildcard match
!=*wildcard not match
INvalue in list
NOT INvalue not in list
Logic & wildcards
ANDboth conditions true
OReither condition
NOTnegate condition
*any chars wildcard
?single char wildcard
"..."exact phrase
/regex/iregex with flag
Time spans
1ssecond
1mminute
5m5 minutes
1hhour
1dday
1wweek
Special / meta fields
@timestamp event time
@rawstring raw log line
@id event unique ID
_count groupBy count result
#kind event kind (alert)
#repo repository name
aid agent / host ID
aip agent IP address
Advanced CQL — := assignment & string functions
:= field assignment (mutation)
Creates or overwrites a field inline. More concise than eval().
Field:=value — assign literal
Field:=Field*1000 — epoch ms conversion
Field:=formatTime(...) — assign formatted time
Field:=format(...) — assign formatted string
Note: := is NG-SIEM / LogScale CQL syntax. eval() is the legacy equivalent.
Field:=value — assign literal
Field:=Field*1000 — epoch ms conversion
Field:=formatTime(...) — assign formatted time
Field:=format(...) — assign formatted string
Note: := is NG-SIEM / LogScale CQL syntax. eval() is the legacy equivalent.
format() — string interpolation
Builds a new string from multiple fields using printf-style placeholders.
format(format="%s → %s (PID: %s)", field=[ParentBaseFileName, FileName, TargetProcessId])
%s = string, %d = integer, %f = float, \\n = newline, \\t = tab
Combine with := to store as a new field: Chain:=format(...)
format(format="%s → %s (PID: %s)", field=[ParentBaseFileName, FileName, TargetProcessId])
%s = string, %d = integer, %f = float, \\n = newline, \\t = tab
Combine with := to store as a new field: Chain:=format(...)
formatTime() — epoch → human timestamp
Converts a Unix epoch (ms) field to a human-readable string.
formatTime(format="%Y-%m-%d %H:%M:%S.%L %z", field="ProcessStartTime", timezone="Asia/Singapore")
Common format tokens: %Y year, %m month, %d day, %H hour, %M min, %S sec, %L ms, %z timezone offset
Important: multiply epoch seconds by 1000 first — LogScale expects milliseconds
Common timezones: Asia/Singapore, US/Eastern, US/Pacific, Europe/London, UTC
formatTime(format="%Y-%m-%d %H:%M:%S.%L %z", field="ProcessStartTime", timezone="Asia/Singapore")
Common format tokens: %Y year, %m month, %d day, %H hour, %M min, %S sec, %L ms, %z timezone offset
Important: multiply epoch seconds by 1000 first — LogScale expects milliseconds
Common timezones: Asia/Singapore, US/Eastern, US/Pacific, Europe/London, UTC
select() vs table()
Both project specific fields, but behave differently:
select([F1, F2, F3]) — keeps listed fields, preserves row-per-event, no implicit sort
table([F1, F2], sortby=F1, limit=200) — tabular output with optional sort + limit
Use select() when you want to continue piping; use table() as the terminal output step
select([F1, F2, F3]) — keeps listed fields, preserves row-per-event, no implicit sort
table([F1, F2], sortby=F1, limit=200) — tabular output with optional sort + limit
Use select() when you want to continue piping; use table() as the terminal output step
Regex field matching — /pattern/flags
Use regex syntax directly in the filter line for powerful flexible matching.
ComputerName=/HOSTNAME/i — case-insensitive regex match
#event_simpleName=/ProcessRollup2/ — hash-prefixed (NG-SIEM) field
FileName=/^(powershell|cmd|wscript)\.exe$/i — anchored match
DomainName=/\.(top|xyz|ru|club)$/i — TLD regex
Flags: i = case-insensitive, no flag = case-sensitive
#field prefix targets NG-SIEM indexed fields (faster than regular field match)
ComputerName=/HOSTNAME/i — case-insensitive regex match
#event_simpleName=/ProcessRollup2/ — hash-prefixed (NG-SIEM) field
FileName=/^(powershell|cmd|wscript)\.exe$/i — anchored match
DomainName=/\.(top|xyz|ru|club)$/i — TLD regex
Flags: i = case-insensitive, no flag = case-sensitive
#field prefix targets NG-SIEM indexed fields (faster than regular field match)
case{} — inline conditional branching
Branch logic inside a pipe step — more powerful than eval(case(...)).
case {
LogonType_decimal=2 | Label:="Interactive";
LogonType_decimal=3 | Label:="Network";
* | Label:="Other";
}
* acts as the default / else branch. Each branch ends with semicolon.
case {
LogonType_decimal=2 | Label:="Interactive";
LogonType_decimal=3 | Label:="Network";
* | Label:="Other";
}
* acts as the default / else branch. Each branch ends with semicolon.
parseInt() — hex/octal field conversion
Converts hex or octal string fields (common in CrowdStrike) to decimal.
parseInt(field=GroupRid, as="GroupRid_dec", radix=16, endian="big")
Used with GroupRid, UserRid, and other hex-encoded identity fields
radix: 16 = hex, 8 = octal, 10 = decimal
parseInt(field=GroupRid, as="GroupRid_dec", radix=16, endian="big")
Used with GroupRid, UserRid, and other hex-encoded identity fields
radix: 16 = hex, 8 = octal, 10 = decimal
Useful CSV lookup tables
Query preview
Build a query above to see the preview here…