Query Language Syntax

CrowdStrike Query Language (CQL) is the syntax that lets you compose queries to retrieve, process, and analyze data in Falcon LogScale.

Built around a chain of data-processing commands linked together, CQL has each expression pass its result to the next expression in the sequence, creating complex queries. This architecture is similar to command pipes, a powerful and flexible mechanism for advanced data analysis in Unix and Linux shells.

This reference section provides detailed explanations regarding several related topics. They are listed in the following section with brief descriptions — click on a heading to see more:

  • Comments

    Adding comments to query syntax is a great way to facilitate knowledge transfer and make query triage easier. CQL supports // (single-line) and /* ... */ (multi-line) comments.

  • Query Filters

    When querying data in LogScale, filters reduce results to the relevant data. Using free-text filters to grep data, filters can be applied to fields, stipulating acceptable field values or using regular expressions for matching field contents.

  • Operators

    For filtering, several operators are available. Besides logical operators, comparison operators narrow search results to what's most important.

  • Adding Fields to Events

    To improve result sets and construct more complex queries, new fields can be created when querying data. To do this, use the := syntax, the as parameter (available within some functions), a regex, or eval() function.

  • User Parameters/Variables

    User-configurable parameters can be added to queries to allow for the user to specify a value in plae of a fixed value within the query.

  • Conditional Evaluation

    Although CQL doesn't provide a typical conditional syntax, there are ways to evaluate data conditionally. You can use a case statement or a match statement.

  • Array Syntax

    Guidance on using, processing and identifying information from arrays. This applies to Array Query Functions, for indexing and selecting members in objects using a syntax similar to JSON.

  • Function Syntax

    LogScale query functions take a set of events, parameters, or configurations.

  • Expressions

    Some LogScale functions and constructs allow for writing expressions instead of simple values or field names- for example, to perform computations.

  • Regular Expression Syntax

    Regular expressions in CQL are similar to most regular expression environments, with slight differences.

  • Relative Time Syntax

    For time related queries, you may want to know about Rate Unit Conversion, or about relative time syntax.

Sections in other parts of this manual

  • Query Functions

    Query functions can be used to get values or reduce results. LogScale provides many built-in query functions, and can be combined to create new queries according to a user's need.

  • Query Joins and Lookups

    LogScale supports different methods for joining content between event sets.

Other manuals:

  • CrowdStrike Query Language Grammar Subset

    This grammar schema is a subset of CQL, intended as a guide for programmatically generating LogScale queries (not for parsing them).

  • LogScale Overview

    This overview links to an interactive tutorial that introduces queries in LogScale and sample queries that demonstrate basic principles.