Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support
help

Versions of this Page

    • Data Analysis Overview
    • LogScale Web Interface
      • System Tabs and Falcon Icon
      • Navigation Icons
        • Notifications
        • Releases and Release Notes
        • Help
        • Avatar icon
      • Informational Panels
      • Left-hand Navigation Panel
      • Table Components
      • Repositories and Views
        • Repositories and Views Menubar
        • Search interface
        • Dashboards interface
        • Automation interface
        • Parsers interface
        • Resources interface
          • Asset type interface elements
        • Settings interface
      • All Dashboards
      • Data Ingest
    • Manage Repositories & Views
      • Create Repository or View
      • Repository and View Settings
      • Falcon LTR Repositories
      • Lookup Files
      • Delete Repositories & Views
    • Manage Account
    • Parse Data
      • Built-in Parsers
      • Create a Parser
          • Normalize and Validate Against CPS Schema
      • Ingest Tokens
      • Parser Errors
      • Removing Fields
      • Event Tags
      • Parsing Timestamps
    • Search Data
      • Query Editor
      • Event Fields
      • Display Fields
      • Select & Filter Fields
      • Add & Remove Fields
      • Display Results and Events
      • Inspect Events
      • Copy Rows
      • Look Up Events
      • Show in Context
      • Format Columns
      • Column Properties
      • Field Data Types
      • Field Interactions
      • Different Visuals
      • Highlight Filter Match
      • Change Time Interval
      • Set Time Zone
      • Saved Searches
      • Export Data
      • Search Status
      • Event List Interactions
      • Field Aliasing
        • Configuring Field Aliasing
        • Managing Field Aliasing
        • Searching with Field Aliasing
        • Understanding Field Mapping Requirements
        • Understanding Schema Requirements
    • Write Queries
      • Basic query principles
      • Returned events
      • Query management
        • Write new queries
        • Save searches
        • Grant permissions for saved queries
        • Use saved queries in interactions
      • Common Queries
      • Statement order for better queries
      • Query readability & better usage
    • Query Language Syntax
      • Comments
      • Query Filters
      • Operators
      • Adding Fields to Events
      • User Parameters/Variables
      • Conditional Evaluation
      • Array Syntax
      • Expressions
      • Function Syntax
      • Time Syntax
        • Supported Time Zones
        • Relative Time Syntax
      • Regular Expression Syntax
        • Regular Expression Syntax Patterns
        • Unsupported Regular Expression Patterns
        • Regular Expression Flags
        • LogScale Regular Expression Engines
        • Differences from Other Regex Implementations
    • Query Joins and Lookups
      • Types of Join
      • Join Methods
      • Using Ad-hoc Tables
      • Using Lookup Files
        • Using the readFile() Function
        • Using the match() Function
      • Using join() or selfJoin()
        • Using the join() Function
        • Using the selfJoin() Function
        • Join Operation and Optimization
    • Query Functions
      • Aggregate Query Functions
      • Array Query Functions
      • Comparison Query Functions
      • Conditional Query Functions
      • Data Manipulation Query Functions
      • Event Information Query Functions
      • Filtering Query Functions
      • Formatting Query Functions
      • Geolocation Query Functions
      • Hash Query Functions
      • Join Query Functions
      • Math Query Functions
      • Network & Location Query Functions
      • Parsing Query Functions
      • Preamble Query Functions
      • Regular Expression Query Functions
      • Security Related Query Functions
      • Sequence Query Functions
      • Statistics Query Functions
      • String Query Functions
      • Time & Date Query Functions
      • Tranformation Query Functions
      • Widget Query Functions
      • accumulate()
      • array:append()
      • array:contains()
      • array:dedup()
      • array:drop()
      • array:eval()
      • array:exists()
      • array:filter()
      • array:intersection()
      • array:length()
      • array:reduceAll()
      • array:reduceColumn()
      • array:reduceRow()
      • array:regex()
      • array:rename()
      • array:sort()
      • array:union()
      • asn()
      • avg()
      • base64Decode()
      • base64Encode()
      • beta:param()
      • beta:repeating()
      • bitfield:extractFlags()
      • bitfield:extractFlagsAsArray()
      • bitfield:extractFlagsAsString()
      • bucket()
      • callFunction()
      • cidr()
      • coalesce()
      • collect()
      • communityId()
      • concat()
      • concatArray()
      • copyEvent()
      • correlate()
      • count()
      • counterAsRate()
      • createEvents()
      • crypto:md5()
      • crypto:sha1()
      • crypto:sha256()
      • default()
      • defineTable()
      • drop()
      • dropEvent()
      • duration()
      • end()
      • eval()
      • eventFieldCount()
      • eventInternals()
      • eventSize()
      • fieldset()
      • fieldstats()
      • findTimestamp()
      • format()
      • formatDuration()
      • formatTime()
      • geography:distance()
      • geohash()
      • getField()
      • groupBy()
      • hash()
      • hashMatch()
      • hashRewrite()
      • head()
      • if()
      • in()
      • ioc:lookup()
      • ipLocation()
      • join()
      • json:prettyPrint()
      • kvParse()
      • length()
      • linReg()
      • lower()
      • lowercase()
      • match()
      • math:abs()
      • math:arccos()
      • math:arcsin()
      • math:arctan()
      • math:arctan2()
      • math:ceil()
      • math:cos()
      • math:cosh()
      • math:deg2rad()
      • math:exp()
      • math:expm1()
      • math:floor()
      • math:log()
      • math:log10()
      • math:log1p()
      • math:log2()
      • math:mod()
      • math:pow()
      • math:rad2deg()
      • math:sin()
      • math:sinh()
      • math:spherical2cartesian()
      • math:sqrt()
      • math:tan()
      • math:tanh()
      • max()
      • min()
      • neighbor()
      • now()
      • objectArray:eval()
      • objectArray:exists()
      • parseCEF()
      • parseCsv()
      • parseFixedWidth()
      • parseHexString()
      • parseInt()
      • parseJson()
      • parseLEEF()
      • parseTimestamp()
      • parseUri()
      • parseUrl()
      • parseXml()
      • partition()
      • percentage()
      • percentile()
      • range()
      • rdns()
      • readFile()
      • regex()
      • rename()
      • replace()
      • reverseDns()
      • round()
      • sample()
      • sankey()
      • select()
      • selectFromMax()
      • selectFromMin()
      • selectLast()
      • selfJoin()
      • selfJoinFilter()
      • series()
      • session()
      • setField()
      • setTimeInterval()
      • shannonEntropy()
      • slidingTimeWindow()
      • slidingWindow()
      • sort()
      • split()
      • splitString()
      • start()
      • stats()
      • stdDev()
      • stripAnsiCodes()
      • subnet()
      • sum()
      • table()
      • tail()
      • test()
      • text:contains()
      • text:endsWith()
      • text:length()
      • text:positionOf()
      • text:startsWith()
      • text:substring()
      • time:dayOfMonth()
      • time:dayOfWeek()
      • time:dayOfWeekName()
      • time:dayOfYear()
      • time:hour()
      • time:millisecond()
      • time:minute()
      • time:month()
      • time:monthName()
      • time:second()
      • time:weekOfYear()
      • time:year()
      • timeChart()
      • tokenHash()
      • top()
      • transpose()
      • unit:convert()
      • upper()
      • urlDecode()
      • urlEncode()
      • wildcard()
      • window()
      • worldMap()
      • writeJson()
      • xml:prettyPrint()
    • Dashboards & Widgets
      • Create Dashboards and Widgets
      • Manage Widgets
      • Manage Dashboards
      • Edit Dashboards
      • Organize Information on Dashboards
        • Dashboard Sections
      • Work with Time on Dashboards
        • Shared Time Selector
        • Widget Time Selector
        • Section Time Selector
        • Live Dashboards
        • Time Zone Settings
        • Default Time Settings for Dashboards
      • Manage Dashboard Parameters
      • Manage Dashboard Interactions
      • Export Dashboards as PDF
        • PDF Export Options
      • Scheduled PDF Reports
        • Scheduled Reports Security
          • Create a Scheduled PDF Role using the UI
        • Managing Scheduled Reports
        • Create Scheduled Reports
        • Edit Scheduled Reports
        • Limitations
        • Scheduled Reports Errors and Resolutions
      • Widgets
        • Bar Chart Widget
        • Event List Widget
        • Gauge Widget
        • Heat Map Widget
        • Note Widget
        • Parameter Panel Widget
        • Pie Chart Widget
        • Sankey Diagram Widget
        • Scatter Chart Widget
        • Single Value Widget
        • Table Widget
        • Time Chart Widget
        • World Map Widget
        • Embedding iFrame Widgets
    • Automation
      • Triggers
        • What trigger type to choose
        • General information about triggers
        • Trigger management
          • Create triggers
          • Edit triggers
          • Manage triggers
        • Trigger properties
          • General properties
          • Configuration
          • Actions
          • Advanced settings
          • Scheduled search properties
        • Monitor, diagnose, and troubleshoot triggers
          • Monitor Trigger Execution through the humio-activity Repository
          • Aggregate alert errors and solutions
          • Scheduled search errors and solutions
          • Filter alert errors and solutions
          • Legacy alert errors and solutions
          • Errors when Using Live join() Functions
      • Actions
        • Create Actions
        • Manage Actions
        • Action Type: Email
        • Action Type: Falcon LogScale Repository
        • Action Type: OpsGenie
        • Action Type: PagerDuty
        • Action Type: Slack
        • Action Type: Lookup File
        • Action Type: VictorOps (Splunk On-Call)
        • Action Type: Webhooks
        • Send events that produced aggregate results to actions
        • Message Templates and Variables
      • Cron Scheduling
    • Template Language
      • Template Expressions
      • Template Variable Types
      • Template Examples
    • Keyboard Shortcuts
Falcon LogScale Documentation
/ Data Analysis 1.208.0-1.208.0
/ Search Data
/ Field Aliasing

Searching with Field Aliasing

Field aliasing affects search behavior in the following ways:

  • The aliased fields will exist on an event at search time, whenever the tag conditions are met on the same event.

  • The aliased fields contain the exact same data as the original field, and they behave identically to other fields when operating on them in the query language.

  • If an event contains a field with the same name as an alias, then the alias will overshadow the existing field.

  • Keep original field? option (see Figure 120, “Match fields and aliases”):

    • If disabled, only the alias can be searched. The original field is no longer searchable.

    • If enabled, the original field will still be searchable. Source fields and aliases are independent copies — modifying one in a query will not affect the other: this means that existing queries that use the original/source field names will still continue to work. This behavior can, however, come at the cost of some performance.

flowchart LR classDef behavior fill:#E6F3FF,stroke:#0066CC,stroke-width:2px A1[Tag conditions met on event] -->|Creates| A2[Aliased fields exist at search time] B1[Original fields] -->|Same data & behavior| B2[Aliased fields] C1[Original and alias have same name] -->|Results in| C2[Alias overshadows existing field] D1[Keep Original Field Option] --> D2{Enabled?} D2 -->|No| D3[Only alias searchable Original field not searchable] D2 -->|Yes| D4[Both fields searchable Independent copies Original queries work May impact performance] class A1,A2,B1,B2,C1,C2 behavior class D1,D2,D3,D4 option

Figure 127. Field Aliasing Search


Searches with Live Queries

Whenever you activate a schema or make changes to an existing active schema, these changes will take effect immediately, meaning any new search will use the new configuration.

For existing running live queries (such as alerts, or an already opened dashboard), these queries need to be restarted in order for the new configuration to take effect.

An exception to this rule is if the query contains a join(), selfJoin() or selfJoinFilter() function: these will use the new configuration on their next refresh. See Searches with Join Queries for more details.

Searches with Join Queries

As described in Join Operation and Optimization, queries with join functions simulate liveness by executing in repeated intervals. For queries with join functions where field aliasing is enabled (that is, there is an active schema on the view where the query is executed), the latest configuration of schema and alias mappings are used on each repeated execution.

Unlike live queries without joins (changes in the configuration does not impact an already running query) live queries using joins must be restarted at each schema or alias mappings configuration change.

As Join Query Functions allow specifying the repository for which the subquery should execute, the subquery will use the field alias configuration of the specified repository.

Searches in a Multi-Cluster Setup

Field aliasing can be used with LogScale Multi-Cluster Search. Only the schema active on the local cluster (either organization level or applied on the Multi-Cluster view) will be effective and applied to data from all remote views connected in the multi-cluster view. You can still use field aliasing on the remote clusters, however it will be effective only when searching the remote cluster directly. When running the search from the multi cluster view, schemas active on remote clusters will be ignored.

If you want to apply different mappings for each remote cluster, Multi-Cluster Views allow setting up an additional tag (#clusteridentity which is set to the value Cluster identity tag when configuring a connection) that can be used in the tag conditions of alias mappings.

For more information, see LogScale Multi-Cluster Search documentation.

Searches with Query Prefixes

LogScale has several types of query prefixes that are implicitly added to any query; field aliasing cannot always be used with these query prefixes. This means that those filters will not work with aliased fields, which are disabled for those queries. Query prefixes are:

Query Prefix Field Aliasing
View Connection filters, explained at Views Filtering Disabled. Aliased fields cannot be accessed in the view connection filter.
Deletion prefixes in Redact Events API Disabled. Aliased fields are not available in a filter query used with this API (it only operates on the parsed fields). If the same query is run on the Search page (for example, to check which events to delete before running the API) where field aliasing is set up, the search will produce different results. To avoid such a discrepancy, you may either disable the field aliasing configuration when running the query on search, or ensure you are not using aliased fields in the filter query executed through the API.
Role/User query prefix, explained at Assign Roles to Groups Enabled. You can access aliased fields when you define a query prefix for the role/user filter query.
Support
  • Twitter
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

Sections on this Page

Searches with Live Queries
Searches with Join Queries
Searches in a Multi-Cluster Setup
Searches with Query Prefixes

  • Other articles on this topic

    • AWS Cloud Reference Architecture
    • AWS Cloud Reference Deployment and Automation
    • Accessing the cluster
    • Add a Query to Blocklist (Self-Hosted)
    • Adding a Query to the Blocklist (Cloud)
    • Adding a Query to the Blocklist (Self-Hosted)
    • Additional Considerations
    • Advanced Architecture Configuration
    • Alerts and Saved Searches Best Practices
    • Amazon Web Services
    • Audit Logging (Cloud)
    • Audit Logging (Self-Hosted)
    • Azure Reference Architecture
    • Basic Configuration
    • Bucket Storage Dashboard
    • Cluster Management (Self-Hosted)
    • Cluster Management Permissions (Self-Hosted)
    • Cluster topology
    • Configuration File Examples
    • Configure Security (Cloud)
    • Configure Security (Self-Hosted)
    • Configuring Multi-Cluster (Self-Hosted)
    • Connect: Passthru, Pipeline, or Pack
    • Creating a Multi-Cluster View using LogScale UI (Self-Hosted)
    • Dashboard Best Practices
    • Dashboard Widgets
    • Data Retention (Self-Hosted)
    • Datasources
    • Digest Rules
    • Enabling Single User (Self-Hosted)
    • Event Forwarders (Self-Hosted)
    • Event Forwarding (Self-Hosted)
    • Grammar Subset
    • Guidelines for Submitting a Package to LogScale Marketplace
    • Health Checks (Self-Hosted)
    • Humio Operator Overview
    • IP Filter
    • Ingest Listeners (Self-Hosted)
    • Ingestion: Storage Phase
    • Insights Errors Dashboard
    • Insights Hosts Dashboard
    • Insights Ingest Dashboard
    • Insights Overview Dashboard
    • Insights Request-Response Dashboard
    • Insights Search Dashboard
    • Insights Segments & Datasources Dashboard
    • Install Falcon LogScale Collector on Linux - Custom
    • Instance Sizing
    • JVM Configuration
    • Kafka Dashboard
    • Kafka Usage
    • Kubernetes Deployment Limits
    • Kubernetes Deployment Requirements
    • License Installation (Self-Hosted)
    • Limits & Standards (Cloud)
    • Limits & Standards (Self-Hosted)
    • Live Search Request
    • LogScale Internal Logging (Cloud)
    • LogScale Internal Logging (Self-Hosted)
    • LogScale on Bare Metal - Installation Preparation
    • Manage Users and Permissions (Cloud)
    • Manage Users and Permissions (Self-Hosted)
    • MaxMind Configuration
    • Naming and Informational Notes
    • Permissions requirements (Cloud)
    • Permissions requirements (Self-Hosted)
    • Query Monitor — Block & Kill (Self-Hosted)
    • Query data in the humio Repository
    • Remove or Unblock an Existing Block (Self-Hosted)
    • Replacing Hardware in a Cluster
    • Repository & View Permissions (Cloud)
    • Repository & View Permissions (Self-Hosted)
    • Requirements and Build Information
    • S3 Ingest Self-hosted Preparation (Self-Hosted)
    • Setting a Dynamic Configuration Value (Cloud)
    • Setting a Dynamic Configuration Value (Self-Hosted)
    • Switch Kafka using KRaft Mode
    • Switching Kafka
    • System API Tokens (Self-Hosted)
    • System tokens security policies (Self-Hosted)
    • Understanding Multi-Cluster Topologies (Self-Hosted)
    • XSOAR Security Management

  • Similar Content

    • Action Type: Slack
    • Action Type: Webhooks
    • Creating an Alert, Actions section
    • Add & Remove Fields
    • Adding Fields to Events
    • Advanced settings
    • Aggregate alert errors and solutions
    • Automation
    • Built-in Parsers
    • Conditional Evaluation
    • Create Actions
    • Create Dashboards and Widgets
    • Create triggers
    • Dashboards & Widgets
    • Delete a Repository or View
    • Display Fields
    • Edit Dashboards
    • Errors when Using Live join() Functions
    • Export Dashboards as PDF
    • Expressions
    • Filter Match Highlighting
    • Filter alert errors and solutions
    • Frequent query operations
    • Gauge Widget
    • General information about triggers
    • Creating an Alert, General section
    • Join Methods
    • Join Operation and Optimization
    • Legacy alert errors and solutions
    • LogScale Regular Expression Engines
    • Lookup Files
    • Manage Actions
    • Manage Dashboard Interactions
    • Manage Dashboard Parameters
    • Manage Dashboards
    • Manage Widgets
    • Manage triggers
    • Managing Falcon LTR Repositories
    • Managing Scheduled Reports
    • Message Templates and Variables
    • Monitor Trigger Execution through the humio-activity Repository
    • Monitor, diagnose, and troubleshoot triggers
    • Notifications
    • Operators
    • Parameter Panel Widget
    • Query Filters
    • Query Joins and Lookups
    • Query readability & better usage
    • Regular Expression Flags
    • Repository and View Settings
    • Scheduled search errors and solutions
    • Scheduled search properties
    • Section Time Selector
    • Send events that produced aggregate results to actions
    • Set the Time Zone
    • Template Expressions
    • Template Variable Types
    • Trigger management
    • Trigger properties
    • Triggers
    • Types of Join
    • User Parameters (Variables)
    • Using Ad-hoc Tables
    • Using Lookup Files
    • Using the join() Function
    • Using the match() Function
    • Using the readFile() Function
    • Using the selfJoin() Function
    • What trigger type to choose
    • Widget Time Selector
    • Work with Time on Dashboards

  • Architecture

    • Ingestion: Digest Phase

  • Related KB Articles

    • Troubleshooting: IP Access for Actions or Notifiers

  • Security Audit Entries

    • Audit Log Event dashboard.delete
    • Audit Log Event dashboard.update
    • Audit Log Event readonly.dashboard.accessed
    • Audit Log Event readonly.dashboard.update

  • Terminology

    • LogScale Multi-Cluster Search (Self-Hosted)

  • Training

    • Additional Components
    • Alerts, Scheduled Searches, and Actions
    • Configure a Dashboard
    • CrowdStrike Query Language Defined
    • Dashboards
    • Dashboards and Widgets Tutorial
    • Falcon LogScale Beginner Introduction
    • Ingestion
    • Log Sources
    • LogScale Video Series
    • Queries
    • Repositories
    • Search a Repository
    • Settings, Shortcuts, and Documentation
    • Widgets

Enter search term