Query Readability & Better Usage
Sifting through the data can range from quite simple searches to very complex queries. Reading, using or reusing a query can be easier if the query is written according to some basic recommendations.
Multi-line Queries
Queries can be split over multiple lines, with the convention of using the pipe operator as the break point, to chain the different expressions within. For example, the following query:
#host=github #parser=json | repo.name=docker | groupBy(repo.name, function=count()) | sort()
is identical to:
#host=github #parser=json
| repo.name=docker
| groupBy(repo.name, function=count())
| sort()
but the latter is easier to read.
Tip
Press Shift
+
Enter
to insert a line break
within the query.
Comments
The CrowdStrike Query Language (CQL) supports // single-line and /* multi-line */ comments.
Single-line comments should be used at the end of a line, for example:
#host=github #parser=json
| // Search for host and parser
repo.name=docker/*
| groupBy(repo.name, function=count())
| sort()
Multi-line comments are useful to provide a deeper description or documentation for a search. For example:
/* Search for killed processes
Set the <signal> type and <process> name */
?{signal="*" }
| ?{process="*"}
| /Service exited due to (?<signal>\S+)/
| signal = ?signal
| /sent by (?<process>\S+)\[\d+\]/
| process = ?process