User Parameters (Variables)
Parameters allow for user-input without the user requiring the ability to modify or alter the queries and dashboards. Parameters can be created using a question mark prefix, support default values for automated contexts like triggers and scheduled searches, and offer special syntax for handling multi-value inputs in dashboard implementations.
User-configurable parameters can be added to queries to allow users to specify a different value in place of a fixed value within the query. The user-configurable value can also be integrated with dashboards and saved searches.
To create user-supplied parameters, use the ?
character in front of a parameter name within a query
(?parameter). The expression can be embedded in the
query, and will be interpreted by dashboards and saved searches
automatically, providing a prompt for user input:
In the following example, the named parameter will be searchtext.
matchstring := ?searchtextThe parameter will automatically be identified and extracted when the query is used as part of a dashboard.
More complex parameters can be quoted:
matchstring := ?"Matching String to Locate"The parameter name will be used as the title of the parameter within the dashboard- using a quoted value allows for more descriptive parameter values.
![]() |
For information on using parameters when using Dashboards, see Work with Dashboard Parameters.
For information on using parameters with saved searches, see Saved Searches (User Functions).
Using Common Parameters
When building a dashboard with multiple widgets and different queries, the parameters defined in each query will be extracted and then used to build all of the parameters for the dashboard.
To use the same parameter across multiple queries, use the same parameter definition in each query. For example, the following queries for different widgets on a single dashboard would create two unique parameters in the dashboard that the user could implement, and the same value for each parameter would be applied to both queries. This enables you to use common parameters across all the queries in a dashboard:
Detections
logscalemetadata.eventType=DetectionSummaryEvent | event.ComputerName=?ComputerName AND metadata.customerIDString = ?cidComputer List
logscalemetadata.eventType = DetectionSummaryEvent | event.ComputerName=?ComputerName
Default Parameter Values
For queries executing automatically like Triggers or Scheduled searches, a default parameter value can be defined to ensure that the parameter has a value and the query doesn't fail.
To specify a default value, use the following syntax in your query:
?{PARAMETER=VALUE}Where:
PARAMETER
The name of the parameter. Parameter names can be quoted to include spaces or non-alphanumeric characters.
VALUE
The default value to be applied.
For example, this creates the parameter
param with the default value
default_value.
?{param=default_value}Important
Default values are only supported for saved searches. Within the user
interface or dashboards, the glob *
value is used by default. Any default value configured in the parameter
is ignored.
Using Parameters in Saved Searches
Saved searches can make use of user-defined parameters, enabling values to
be supplied to saved searches at execution time. For example, to create a
saved search that executes a groupBy(), create a
saved search called grouped():
groupBy(field=?{basefield="@host"})
This exposes the parameter
basefield in the
grouped() saved search, which can then be called using:
$grouped(basefield="@host")Multi-Value Parameters Syntax for Dashboards
When using Multi-value Parameters in dashboards, multiple values can be added at the same time by using commas as a delimiter for user-inputs in the UI. To add multi-value parameters to your query for a dashboard, use the syntax as in the following examples:
| User Input | Parameter Value Options |
|---|---|
cat, hat
|
cat and
hat
|
"cat, hat"
|
cat, hat
|
\"cat, hat\"
|
"cat and
hat"
|
\"cat\", \"hat\"
|
"cat" and
"hat"
|
