Comments
The CrowdStrike Query Language (CQL) supports // single-line and /* multi-line */ comments.
Single-line comments should be used at the end of a line, for example:
logscale
#host=github #parser=json
| // Search for host and parser
repo.name=docker/*
| groupBy(repo.name, function=count())
| sort()
Multi-line comments are useful to provide a deeper description or documentation for a search. For example:
logscale
/* Search for killed processes
Set the <signal> type and <process> name */
?{signal="*" }
| ?{process="*"}
| /Service exited due to (?<signal>\S+)/
| signal = ?signal
| /sent by (?<process>\S+)\[\d+\]/
| process = ?process