Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support
help

Versions of this Page

    • Data Analysis Overview
    • LogScale User Interface
      • Managing Your Account
    • Manage Repositories and Views
      • Create Repository or View
      • Repository and View Settings
      • Falcon LTR Repositories
      • Lookup Files
      • Delete a Repository or View
    • Parse Data
      • Built-in Parsers
      • Create a Parser
      • Ingest Tokens
      • Parser Errors
      • Parsing Event Tags
      • Parsing Timestamps
    • Search Data
      • Query Editor
      • Event Fields
      • Display Fields
      • Select and Filter Fields
      • Add and Remove Fields
      • Display Results and Events
      • Inspect Events
      • Show in Context
      • Format Columns
      • Column Properties
      • Field Data Types
      • Field Interactions
      • Different Visuals
      • Change Time Interval
      • Set Time Zone
      • Save Results
      • Export Data
      • Search Status
      • Event List Interactions
    • Write Queries
      • Basic query principles
      • Returned events
      • Query management
        • Write new queries
        • Save queries
        • Recall Queries
        • Use saved queries in interactions
      • Common Queries
      • Statement order for better queries
      • Query readability and better usage
    • Automation
      • Alerts
        • Standard Alerts
        • Alert Activities
        • Creating Alerts
        • Managing Alerts
        • Editing an Alert
        • Setting Alert Throttle Period
        • Sending Aggregate Results to Actions
        • Monitoring Alerts
        • Diagnosing Alerts
          • Errors when Using Live join() Functions
          • Monitor Alerts with humio-activity Repository
            • Alert Raw Event Example
              • Filter alert errors and solutions
              • Legacy alert errors and solutions
      • Scheduled Searches
        • Creating a Scheduled Search
        • Spacing Out Searches
        • Scheduled Search Errors and Resolutions
      • Scheduled PDF Reports
        • Scheduled Reports Security
          • Creating a Scheduled PDF Role using the UI
        • Managing Scheduled Reports
        • Creating Scheduled Reports
        • Editing Scheduled Reports
        • Limitations
        • Scheduled Reports Errors and Resolutions
      • Cron Schedule Templates
      • Actions
        • Creating Actions
        • Managing Actions
        • Action Type: Email
        • Action Type: Falcon LogScale Repository
        • Action Type: OpsGenie
        • Action Type: PagerDuty
        • Action Type: Slack
        • Action Type: Upload File
        • Action Type: VictorOps (Splunk On-Call)
        • Action Type: Webhooks
        • Message Templates and Variables
    • Query Language Syntax
      • Comments
      • Query Filters
      • Operators
      • Adding Fields to Events
      • User Parameters/Variables
      • Conditional Evaluation
      • Array Syntax
      • Expressions
      • Function Syntax
      • Time Syntax
        • Supported Time Zones
        • Relative Time Syntax
      • Regular Expression Syntax
        • Regular Expression Syntax Patterns
        • Unsupported Regular Expression Patterns
        • Regular Expression Flags
        • Differences from Other Regex Implementations
    • Query Functions
      • Aggregate Query Functions
      • Array Query Functions
      • Comparison Query Functions
      • Conditional Query Functions
      • Data Manipulation Query Functions
      • Event Information Query Functions
      • Filtering Query Functions
      • Formatting Query Functions
      • Geolocation Query Functions
      • Hash Query Functions
      • Join Query Functions
      • Math Query Functions
      • Network and Location Query Functions
      • Parsing Query Functions
      • Preamble Query Functions
      • Regular Expression Query Functions
      • Security Related Query Functions
      • Statistics Query Functions
      • String Query Functions
      • Time and Date Query Functions
      • Tranformation Query Functions
      • Widget Query Functions
      • array:contains()
      • array:eval()
      • array:filter()
      • array:intersection()
      • array:reduceAll()
      • array:reduceColumn()
      • array:reduceRow()
      • array:regex()
      • array:union()
      • asn()
      • avg()
      • base64Decode()
      • beta:param()
      • beta:repeating()
      • bitfield:extractFlags()
      • bucket()
      • callFunction()
      • cidr()
      • coalesce()
      • collect()
      • communityId()
      • concat()
      • concatArray()
      • copyEvent()
      • count()
      • counterAsRate()
      • createEvents()
      • default()
      • drop()
      • dropEvent()
      • end()
      • eval()
      • eventFieldCount()
      • eventInternals()
      • eventSize()
      • fieldset()
      • fieldstats()
      • findTimestamp()
      • format()
      • formatDuration()
      • formatTime()
      • geohash()
      • groupBy()
      • hash()
      • hashMatch()
      • hashRewrite()
      • head()
      • in()
      • ioc:lookup()
      • ipLocation()
      • join()
      • json:prettyPrint()
      • kvParse()
      • length()
      • linReg()
      • lower()
      • lowercase()
      • match()
      • math:abs()
      • math:arccos()
      • math:arcsin()
      • math:arctan()
      • math:arctan2()
      • math:ceil()
      • math:cos()
      • math:cosh()
      • math:deg2rad()
      • math:exp()
      • math:expm1()
      • math:floor()
      • math:log()
      • math:log10()
      • math:log1p()
      • math:log2()
      • math:mod()
      • math:pow()
      • math:rad2deg()
      • math:sin()
      • math:sinh()
      • math:spherical2cartesian()
      • math:sqrt()
      • math:tan()
      • math:tanh()
      • max()
      • min()
      • now()
      • parseCEF()
      • parseCsv()
      • parseFixedWidth()
      • parseHexString()
      • parseInt()
      • parseJson()
      • parseLEEF()
      • parseTimestamp()
      • parseUrl()
      • parseXml()
      • percentile()
      • range()
      • rdns()
      • regex()
      • rename()
      • replace()
      • reverseDns()
      • round()
      • sample()
      • sankey()
      • select()
      • selectFromMax()
      • selectFromMin()
      • selectLast()
      • selfJoin()
      • selfJoinFilter()
      • series()
      • session()
      • shannonEntropy()
      • sort()
      • split()
      • splitString()
      • start()
      • stats()
      • stdDev()
      • stripAnsiCodes()
      • subnet()
      • sum()
      • table()
      • tail()
      • test()
      • time:dayOfMonth()
      • time:dayOfWeek()
      • time:dayOfWeekName()
      • time:dayOfYear()
      • time:hour()
      • time:millisecond()
      • time:minute()
      • time:month()
      • time:monthName()
      • time:second()
      • time:weekOfYear()
      • time:year()
      • timeChart()
      • tokenHash()
      • top()
      • transpose()
      • unit:convert()
      • upper()
      • urlDecode()
      • urlEncode()
      • window()
      • worldMap()
      • writeJson()
      • xml:prettyPrint()
    • Template Language
      • Template Expressions
      • Template Variable Types
      • Template Examples
    • Keyboard Shortcuts
Falcon LogScale Documentation
/ Data Analysis 1.83.0-1.88.0
/ Search Data
IMPORTANT: This manual will be archived after 15th December 2025. The manual will be available in a downloadable format and will continue to be updated, but not included as part of the active, searchable, documentation.

Save Results

It is possible to save search results, queries, dashboard widgets, and more. As it can take some time to construct a search query and if used often, saving searches and different widgets for reuse is time saving.

In the Results or Events tab, click Save and select one of the following options:

  • Saved search. You can make a saved query of your search. See Save queries for more information. See Save searches for more information.

  • Dashboard widget. If your search is visualized as one of the available widgets, you can save that widget for future use. See Dashboards for more information.

  • Scheduled search. You can save a scheduled search that will be invoked in a predefined time interval. If there is a result, the scheduled search will trigger its associated actions. See Scheduled Searches for more information.

  • Alert. You can save a query as an alert (if the type of search is appropriate). See Alerts for more information.

  • Export to File. This option will export the results of the query, all that is shown in the Results panel, to a file locally. See Export Data for more information.

screenshot showing the save button with its options

Figure 77. Save results


Support
  • Twitter
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

  • Other articles on this topic

    • Dashboard Best Practices
    • Grammar Subset
    • Requirements and Build Information

  • Similar Content

    • Function Syntax
    • Query management
    • Template Examples
    • Template Expressions
    • Template Variable Types
    • User Parameters (Variables)
    • Write Queries

  • Security Audit Entries

    • Audit Log Event saved-query.create
    • Audit Log Event saved-query.delete
    • Audit Log Event saved-query.update

Enter search term