Search Data
The data stored in repositories in LogScale can be searched,
filtered, and formatted using the CrowdStrike Query Language (CQL). Searches
are primarily done through the web interface from the
Search page of a repository, see
Search Interface for details on how to navigate the search
UI page.
Search Data Sequence
This diagram suggests a step-by-step workflow on how to search LogScale data, by following a typical order of operations. Each of the steps provide details on what you can do when searching, as well as links to the related documentation.
Taking each step in turn:
| Step | Search Item or Operation | Description |
|---|---|---|
|
1. Search Data
The basics of searching a repository. | Query Editor |
To start searching data, you enter a query in the
Query Editor. This is the primary
interface that enables robust, fast regex searches of server logs
and metrics in your repositories.
|
| Event Fields | For each data record in a repository, each event is parsed into multiple fields for easy sorting and searching. There are different kinds of event fields available. | |
| Search Status | Whenever a repository is searched, status information on that search is displayed in the status bar (bottom line of LogScale's UI). | |
|
2. Change Results Display
The default way in which search results are displayed is usually adequate — especially when first constructing a query. However, you can improve the way the results are displayed. | Display Fields | In the UI, the Fields Panel lists the several event fields on which you may search in a repository. |
| Format Columns | You can add, eliminate, and reorder the field columns in search results. You can also reformat the contents of those columns for a more meaningful display. | |
| Highlight Filter Match | Search results can be highlighted based on the filters applied in queries. Highlighting helps you identify where in the event text a query matches the results. | |
| Choose Visualization | Search results are ingested as text and, therefore, as default displayed as text. You can change the display for search results to show the data in a variety of ways, including graphs, pie charts, and other graphics. | |
| Display Results and Events | Events are displayed in the search results in different tabs, depending on the query used. | |
|
3. Refine Search Results
You can refine search results beyond the initial data display. | Manage Fields | When searching a repository, you can select fields to search. You can also select fields on which to filter the results. |
| Manage Fields | For a more simplified display that is easier to review, you can select which fields in a query results to display — and which to hide. | |
| Change Time Interval | Search results are for a specific time interval: such as, the past day, the past month, other time ranges. Instead of static data, you can also display data for a time interval that includes the current moment, known as live data. | |
| Set Time Zone | Data is ingested into LogScale with a time stamp for each event. Those time stamps are for a specific time zone, but the time zone can be changed in your search results. | |
|
4. Search Deeper
You can get more information from a search and go deeper into search results without refining or rerunning a search. | Inspect Events |
When you search a repository, you get a list of events in the
Event List. You can click a specific event to
obtain more details in the Inspection
Panel.
|
| Show in Context | You can have a detail view in context of a single event and search for value matches with a different time interval. | |
| Event List Interactions | You may find the search results fairly limited. Depending on your user permission, it is possible to interact with the results to reveal much more information. | |
| Field Interactions | Contextual menus next to fields allows for performing several operations, such as aggregate or filter those fields. | |
| Field Aliasing | Implementing Field Aliasing in your workflow simplifies data correlation from various sources. You can provide alternative names — or aliases — to fields created at parse time, across a view, or through the entire organization. | |
|
5. Save and Export Search Results
Search queries can be saved for future use and search results can be exported. There are different saving options and export formats. | Save Results |
As it can take some time to construct a search query, saving
searches can save time. From the
Search interface you can save
queries, as well as other assets such as widgets or triggers.
|
| Export Data | Search results can be exported for use in another application. They can be exported as they are, to a plain text file, or to other formats. |