Query Language Syntax
The CrowdStrike Query Language (CQL) is the syntax that lets you compose queries to retrieve, process, and analyze data in Falcon LogScale.
The query language is built around a chain of data-processing commands linked together. Each expression passes its result to the next expression in the sequence, allowing you to create complex queries by combining query expressions. This architecture is similar to command pipes, a powerful and flexible mechanism for advanced data analysis in Unix and Linux shells.
This reference section on the CrowdStrike Query Language provides detailed explanations on several related topics. They are listed below with brief descriptions — click on a heading to see more:
Adding comments to query syntax is a great way to facilitate knowledge transfer and make query triage much easier. The CrowdStrike Query Language (CQL) supports // single-line and /* multi-line */ comments.
When querying data in LogScale, filters may be used to reduce the results to the relevant data. You can use free-text filters to grep data, or you can filter based on fields, stipulating acceptable field values or using regular expressions for matching field contents.
For filtering, there are several operators available: besides logical operators, there are also some comparison operators to narrow search results to what's most important to you.
To improve result sets, as well as to construct more complex queries, you can create new fields when querying data. You can do this using the
:=syntax, theassyntax, a regex, oreval()function.User-configurable parameters can be added to a query to allow for the user to specify a value in place of a fixed value within the query.
Although CrowdStrike Query Language does not provide a typical conditional syntax, there are ways to evaluate data conditionally. You can use a
casestatement or amatchstatement.Guidance on using, processing and identifying information from array. This applies to Array Query Functions, for indexing and selecting members in objects using a syntax similar to JSON.
LogScale query functions take a set of events, parameters, or configurations.
Some LogScale functions and constructs allow writing expressions instead of simple values or field names, for example, to perform computations.
For time related queries, you may want to know about Rate Unit Conversion, or about relative time syntax.
Regular expressions in CrowdStrike Query Language are similar to most regular expression environments, with slight differences though.
Section in other parts of this manual:
You can use query functions to get values, or reduce results. LogScale provides many built-in query functions, and you can combine them to create your own.
LogScale supports different methods for joining content between event sets.
Other manuals:
CrowdStrike Query Language Grammar Subset
This grammar is a subset of the CrowdStrike Query Language, intended as a guide for programmatically generating LogScale queries (not for parsing them).
Falcon LogScale Beginner Introduction
The Falcon LogScale Beginner Introduction. It will link you to an interactive tutorial that will introduce you to queries in LogScale and let you try sample queries that will demonstrate the basic principles.