Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support
help

Versions of this Page

  • Examples Library
    • Aggregate Status Codes by count() per Minute
    • Parse JSON Content With Specific Parameters
    • Find Range Between Smallest And Largest Numbers in Field
    • Find Range of CPU Usage by Host
    • Match Multiple Pairs of Event Fields Against Multiple Columns in .CSV Lookup File
    • Access Fields From Single Neighboring Event in a Sequence - Example 1
    • Access Fields From Single Neighboring Event in a Sequence - Example 2
    • Access Fields From Single Neighboring Event in a Sequence - Example 3
    • Add a Field Based on Values of Another Field - Example 1
    • Add a Field Based on Values of Another Field - Example 2
    • Add a Field Based on Values of Another Field - Example 3
    • Aggregate Array Content
    • Aggregate Status Codes by count() Per Minute
    • Alert Query for Parsers Issues
    • Analyze User Sessions Based on Click Activity
    • Annotate Events With Aggregation - Example 1
    • Annotate Events With Aggregation - Example 2
    • Annotate Events With Aggregation - Example 3
    • Assign Current Time of Search Time Interval to Field
    • Assign End of Search Time Interval to Field - Example 1
    • Assign End of Search Time Interval to Field - Example 2
    • Basic Rounding
    • Bucket Counts When Using bucket()
    • Bucket Events Into Groups
    • Bucket Events Summarized by count()
    • Calculate Average of Field Values in an Array
    • Calculate Distance Between Geographical Coordinates
    • Calculate Geohash Value of a Set of Coordinates
    • Calculate Ingest Queue Compression
    • Calculate Minimum and Maximum Response Times
    • Calculate Query Cost for All Users by Repository
    • Calculate Query Costs by User and Repository in a Single Field
    • Calculate Relationship Between X And Y Variables - Example 1
    • Calculate Relationship Between X And Y Variables - Example 2
    • Calculate Relationship Between X And Y Variables - Example 3
    • Calculate Running Average of Field Values
    • Calculate Shannon Entropy Value For String
    • Calculate Standard Deviation of Bytes Sent
    • Calculate Sum of Field Values Over Sliding Time-Based Window
    • Calculate Sum of Field Values Over Sliding Window
    • Calculate Total Network Bandwidth Per Host
    • Calculate a Percentage of Successful Status Codes Over Time
    • Calculate the Mean of CPU Time
    • Call Named Function on a Field - Example 1
    • Call Named Function on a Field - Example 2
    • Categorize Errors in Log Levels
    • Categorize Events Based on Values in More Fields
    • Check For Existence of Element Contained in Given List of Values
    • Check For Existence of Element Larger Than Given Number
    • Check For Existence of Element Using Complex Conditions
    • Check For Existence of Elements Using Filtering Pipeline
    • Check For Existence of Simple Values in Nested Array Using objectArray:exists()
    • Check for AWS Resources in Vendor Array
    • Check for Values in Array
    • Check if Field Contains Specific Value
    • Check if Field Contains Valid IP Address
    • Check if Fields Contain Same Value
    • Collect and Group Events by Specified Field - Example 1
    • Collect and Group Events by Specified Field - Example 2
    • Combine Values of Multiple Fields
    • Compare More Fields and Filter for Specific Events
    • Compare More Fields and Their Respective Values
    • Compare Two Timestamps
    • Compare and Filter Values in Same Table
    • Compute Aggregate Value for Each Array Element With Same Index
    • Compute Average Value for Each Array Element With Same Index
    • Compute Community ID
    • Compute Cumulative Aggregation Across Buckets
    • Compute Cumulative Aggregation For Specific Group
    • Compute an Aggregated Value of an Array on All Events
    • Concatenate Fields and Strings Together
    • Concatenate Multiple Values From Nested Array Elements
    • Concatenate Object Arrays Into Single Array
    • Concatenate Values From Deeply Nested Array Elements
    • Concatenate Values From Nested Array Elements
    • Concatenate Values From Two Nested Array Elements
    • Concatenate Values in Arrays Into New Named Field
    • Concatenate Values in Arrays Using Pipe Separation
    • Concatenate Values in Arrays With a Defined Prefix and Suffix
    • Concatenate Values in Two Fields - Example 1
    • Concatenate Values in Two Fields - Example 2
    • Concatenate Values of All Fields With Same Name in an Array
    • Concatenate a Range of Values in Arrays
    • Convert Decimal Numbers to Hexadecimal Format
    • Convert Decimal Numbers to Prefixed Hexadecimal Format
    • Convert Fields to JSON Format
    • Convert Timestamp Values Into Formatted Strings
    • Convert Timestamps Based on Accuracy
    • Convert Values Between Units
    • Correlate AWS Federation Token Generation with Console Logins
    • Correlate Inbound Email URLs with Subsequent Access Attempts
    • Correlate Two Scheduled Task Events
    • Count Array Elements - Example 1
    • Count Array Elements - Example 2
    • Count Characters in Field
    • Count Events From Each Datasource
    • Count Events Within Partitions Based on Condition
    • Count Events per Repository
    • Count Total Events
    • Count Total of Malware and Nonmalware Events
    • Count Unique Visitors Based on Client IP Addresses
    • Create Data Compatible With Sankey Diagram Widget - Example 1
    • Create Data Compatible With Sankey Diagram Widget - Example 2
    • Create Frequency Count With Formatted Links
    • Create New Array by Appending Expressions
    • Create New Fields
    • Create Sankey Diagram Calculating Edge Thickness
    • Create Time Chart Widget for All Events
    • Create Time Chart Widget for Different Events
    • Create Two Temporary Events for Troubleshooting - Example 1
    • Create Two Temporary Events for Troubleshooting - Example 2
    • Create Two Temporary Events for Troubleshooting - Example 3
    • Create a Pivot Table
    • Decode and Extract true Bits as Arrays
    • Decode and Extract true Bits as Strings - Example 1
    • Decode and Extract true Bits as Strings - Example 2
    • Decode and Extract Bit Flags
    • Deduplicate Compound Field Data With array:union() and split()
    • Deduplicate Content by Field
    • Deduplicate Values in Array
    • Detect All Occurrences of Event A Before Event B
    • Detect Changes And Compute Differences Between Events - Example 1
    • Detect Changes And Compute Differences Between Events - Example 2
    • Detect Continuously Upwards Going Trend
    • Detect Event A Happening X Times Before Event B
    • Detect Event A Happening X Times Before Event B Within a Specific Timespan
    • Detect Two Events Occurring in Quick Succession
    • Determine Autonomous System (AS) Number and IP address/Organization Associated - Example 1
    • Determine Autonomous System (AS) Number and IP address/Organization Associated - Example 2
    • Determine a Score Based on Field Value
    • Differentiate Between Types of Log Levels
    • Divide Data Into Separate Partitions
    • Drop Attributes, Columns/Fields From Result Set - Example 1
    • Drop Attributes, Columns/Fields From Result Set - Example 2
    • Drop Event During Parsing
    • Drop Events Based on Parsing JSON Value
    • Drop Events Based on Specific Field Values or Patterns
    • Drop Fields From Input Array
    • Evaluate Arbitrary Expression as Boolean Value
    • Evaluate Arbitrary Field Values for CPU Time Within Repository
    • Evaluate Field Values Within Repository
    • Evaluate Function Argument on Values in Array
    • Exclude Events With Specific Values From Searches
    • Extract Field Statistics
    • Extract the Top Most Viewed Pages of a Website
    • Filter Events Using CIDR Subnets - Example 1
    • Filter Events Using CIDR Subnets - Example 2
    • Filter Events Using CIDR Subnets - Example 3
    • Filter Events Using CIDR Subnets - Example 4
    • Filter For Items Not Part of Data Set Using !join()
    • Filter For Items Not Part of Data Set Using !match()
    • Filter For Items Not Part of Data Set Using defineTable()
    • Filter Out Based on a Non-Matching Regular Expression (Function Format)
    • Filter Out Based on a Non-Matching Regular Expression (Syntax)
    • Filter Out Fields With No Value
    • Filter an Array on a Given Condition
    • Filter and Collect Values in Same Table
    • Filter on a Single Field for One Specific Value
    • Find Failed Requests
    • Find Fields With Data in Class
    • Find Fields With S3Bucket in Class
    • Find Least Common Values of a Field
    • Find Matches in Array Given a Regular Expression - Example 1
    • Find Matches in Array Given a Regular Expression - Example 2
    • Find Minimum And Maximum Values of any Numerical Field in Session
    • Find Most Recent (Latest) Value of Field X
    • Find Oldest (First) Value of Field X
    • Find Set Intersection Within an Array
    • Find Top N Value of Series - Example 1
    • Find Top N Value of Series - Example 2
    • Find Union of Array Over multiple Events
    • Find the First Values in a List of Fields
    • Format Duration Into Human Readable String
    • Format JSON
    • Format Only Valid Input XML in Output String
    • Format Only Valid JSON
    • Format Only Valid XML
    • Format Values From Two Array Elements Using :
    • Format XML
    • Format XML String to Certain Line Length and Indentation
    • Format XML in @rawstring Field after Filtering Data
    • Format XML to a Max Line Length
    • Format a String to Upper Case and Lower Case
    • Generate Temporary Event With Bit Flags For Troubleshooting
    • Get Integer Part of Number
    • Get List of Status Codes
    • Get the Last Element of an Array
    • Get the Value of a Field Stored in Another Field
    • Group Events by Single Field
    • Group Events by Single Field Without Count
    • Hourly Data Events
    • Include All Fields with Any Given Pattern
    • List All EC2 Hosts With FirstSeen Data Within 14 Days
    • List URLs Not Found
    • Look up IP address IOCs
    • Look up URL IOCs
    • MD5 Hash Multiple Fields
    • MD5 Hash a Field With a Given Value
    • Make Copy of Events
    • Make Copy of Events from One Repo to Another Repo
    • Make Data Compatible With Time Chart Widget - Example 1
    • Make Data Compatible With Time Chart Widget - Example 2
    • Make Data Compatible With World Map Widget - Example 1
    • Make Data Compatible With World Map Widget - Example 2
    • Make Data Compatible With World Map Widget - Example 3
    • Match Event Fields Against Lookup Table Values
    • Match Event Fields Against Lookup Table Values Adding Specific Columns
    • Match Event Fields Against Lookup Table Values Allowing All Events to Pass
    • Match Event Fields Against Patterns in Lookup Table Values
    • Match Field to Timespan
    • Modify Existing Fields
    • Narrow the Search Interval
    • Parse String as CSV
    • Parse String as CSV - Example 2
    • Parsers Throttling
    • Perform Base64 Decoding of a Field
    • Perform Base64 Encoding of a Field
    • Perform Case-Insensitive Match on Field
    • Perform Formatting on All Values in an Array
    • Perform a Free-Text Search in Rawstring
    • Perform a Left Join Query to Combine Two Datasets
    • Perform a Nested Join Query to Combine Two Datasets and Two Tables
    • Perform a Right Join Query to Combine Two Datasets
    • Perform an Inner Join Query to Combine Two Datasets
    • Preview And Output Several Lookup Files as Events With readFile()
    • Preview Content in a Lookup File With readFile()
    • Preview Content in a Lookup File With readFile() and Filter With !join()
    • Process Current Time in Live Queries
    • Reduce Large Event Sets to Essential Fields
    • Rename Existing Fields in Array
    • Rename Fields
    • Rename a Single Field - Example 1
    • Rename a Single Field - Example 2
    • Replace Word or Substring With Another
    • Request List of Fields
    • Retention Update per Repository
    • Retrieve Location Data From Specified Field
    • Rounding Within a Timechart
    • Rounding to n Decimal Places
    • S3 Archiving Backlog
    • SHA-1 Hash Multiple Fields
    • SHA-1 Hash a Field With a Given Value
    • SHA-256 Hash Multiple Fields
    • SHA-256 Hash a Field With a Given Value
    • Sample Event Streams - Example 1
    • Sample Event Streams - example 2
    • Search Accross Multiple Structured Fields
    • Search Fields Through a Given Pattern - Example 1
    • Search Fields Through a Given Pattern - Example 2
    • Search Fields Through a Given Pattern - Example 3
    • Search Fields Through a Given Pattern - Example 4
    • Search Fields Through a Given Pattern - Example 5
    • Search For Events by Number of Fields in Repository
    • Search Multiple Fields Through a Given Pattern
    • Search Relative Time to Query Execution
    • Search Single Field for Multiple Values
    • Search Status Field for All Status Codes Starting With "1" or "2"
    • Search Two Fields for Multiple Values in Either First Field or Second Field
    • Search for Command Line String
    • Search for Events by Size in Repository
    • Select Fields to Export
    • Set Default Values for Fields - Example 1
    • Set Default Values for Fields - Example 2
    • Set Default Values for Fields - Example 3
    • Set Relative Time Interval From Within Query
    • Set Specific Time Interval Based on Raw Epoch Timestamps From Within Query
    • Set Time Interval From Within Query with defineTable()
    • Set Values for Multiple Fields
    • Set a Field Value Based on Tag Value
    • Set the Value of a Field
    • Show Offline Nodes
    • Show Percentiles Across Multiple Buckets
    • Sort Timestamps With groupBy()
    • Split Comma-Separated Strings in Array Into New Array
    • Square Values in an Array
    • Standardize Values And Combine Into Single Field
    • Take Field Names as Parameters
    • Track Event Size Within a Repository
    • Transpose a Basic Table
    • Truncate a String or Message
    • Use Multiple if() Functions
    • Using Ad-hoc Table With CSV File
Falcon LogScale Documentation
/ LogScale Query Examples

Create Frequency Count With Formatted Links

Transform field values into clickable links with occurrence count using the top() function with format()

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2>Augment Data] result{{Result Set}} repo --> 1 1 --> 2 2 --> result
logscale
top(repo)
| format("[Link](https://example.com/%s)", field=repo, as=link)

Introduction

The top() function can be used to count occurrences of field values and sort them by frequency, providing insights into the most common values in your data.

In this example, the top() is used to count occurrences of repository names in the field repo, followed by the format() function to create clickable links for each repository.

Example incoming data might look like this:

@timestamprepoactionuser
2023-06-15T10:00:00Zfrontend-apppushalice
2023-06-15T10:05:00Zbackend-apiclonebob
2023-06-15T10:10:00Zfrontend-apppullcharlie
2023-06-15T10:15:00Zdatabase-servicepushalice
2023-06-15T10:20:00Zfrontend-apppullbob
2023-06-15T10:25:00Zbackend-apipushalice
2023-06-15T10:30:00Zmonitoring-toolclonecharlie
2023-06-15T10:35:00Zfrontend-apppushbob

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2>Augment Data] result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    top(repo)

    Groups events by the repo field and counts their occurrences. Creates a result set with two fields: the repository name (repo) and _count. Results are automatically sorted by count in descending order. If no limit is specified, the top() function returns all unique values.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} 2>Augment Data] result{{Result Set}} repo --> 1 1 --> 2 2 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | format("[Link](https://example.com/%s)", field=repo, as=link)

    Creates formatted markdown-style links based on repository values in repo and returns the results in a new field named link.

    The field parameter specifies to use the repo field value in the formatting string (represented by %s).

  4. Event Result set.

Summary and Results

The query is used to analyze the frequency of repository interactions and create clickable links for each repository.

This query is useful, for example, to create interactive reports showing which repositories are most actively used, or to build dashboards where users can quickly access frequently accessed repositories.

Sample output from the incoming example data:

repo_countlink
frontend-app4[Link](https://example.com/ frontend-app)
backend-api2[Link](https://example.com/ backend-api)
monitoring-tool1[Link](https://example.com/ monitoring-tool)
database-service1[Link](https://example.com/ database-service)

Note that the results are automatically sorted by count in descending order, showing the most frequently accessed repositories first. The original field value is preserved in the repo field while the formatted link is available in the link field.

Support
  • Twitter
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

Sections on this Page

Query
Introduction
Step-by-Step
Summary and Results

  • Related Release Notes

    • Humio Server 1.0.48 Archive (2018-02-19)
    • Humio Server 1.1.32 Archive (2018-11-15)
    • Falcon LogScale 1.101.0 GA (2023-08-01)
    • Falcon LogScale 1.106.2 LTS (2023-09-27)
    • Falcon LogScale 1.106.4 LTS (2023-10-28)
    • Falcon LogScale 1.106.5 LTS (2023-11-15)
    • Falcon LogScale 1.106.6 LTS (2024-01-22)
    • Falcon LogScale 1.163.0 GA (2024-11-05)
    • Falcon LogScale 1.165.1 LTS (2024-12-17)
    • Falcon LogScale 1.165.2 LTS (2024-12-17)
    • Falcon LogScale 1.165.3 LTS (2025-04-23)
    • Humio Server 1.18.3 LTS (2021-01-20)
    • Humio Server 1.18.4 LTS (2021-01-25)
    • Humio Server 1.19.1 GA (2021-01-19)
    • Humio Server 1.21.0 GA (2021-02-22)
    • Humio Server 1.31.0 GA (2021-09-27)
    • Humio Server 1.32.0 LTS (2021-10-26)
    • Humio Server 1.32.1 LTS (2021-11-16)
    • Humio Server 1.32.2 LTS (2021-11-19)
    • Humio Server 1.32.3 LTS (2021-12-01)
    • Humio Server 1.32.4 LTS (2021-12-10)
    • Humio Server 1.32.5 LTS (2021-12-10)
    • Humio Server 1.32.6 LTS (2021-12-15)
    • Humio Server 1.32.7 LTS (2022-01-06)
    • Humio Server 1.32.8 LTS (2022-03-09)
    • Humio Server 1.50.0 GA (2022-08-02)
    • Humio Server 1.52.0 GA (2022-08-09)
    • Humio Server 1.56.2 LTS (2022-09-26)
    • Humio Server 1.56.3 LTS (2022-10-05)
    • Humio Server 1.56.4 LTS (2022-12-21)
    • Humio Server 1.58.0 GA (2022-09-20)
    • Falcon LogScale 1.63.1 LTS (2022-11-14)
    • Falcon LogScale 1.63.2 LTS (2022-11-30)
    • Falcon LogScale 1.63.3 LTS (2022-12-21)
    • Falcon LogScale 1.63.4 LTS (2023-02-01)
    • Falcon LogScale 1.63.5 LTS (2023-03-06)
    • Falcon LogScale 1.63.6 LTS (2023-03-22)
    • Humio Server 1.7.0 GA (2019-12-17)
    • Humio Server 1.7.3 GA (2020-01-17)
    • Falcon LogScale 1.78.0 GA (2023-02-21)
    • Falcon LogScale 1.79.0 GA (2023-02-28)
    • Falcon LogScale 1.93.0 GA (2023-06-06)
    • Falcon LogScale 1.94.0 LTS (2023-07-05)
    • Falcon LogScale 1.94.1 LTS (2023-10-28)
    • Falcon LogScale 1.94.2 LTS (2023-11-15)

  • Related Query Examples

    • Perform Formatting on All Values in an Array
    • Calculate the Mean of CPU Time
    • Combine Values of Multiple Fields
    • Convert Decimal Numbers to Hexadecimal Format
    • Convert Decimal Numbers to Prefixed Hexadecimal Format
    • Convert Timestamp Values Into Formatted Strings
    • Concatenate Fields and Strings Together
    • Rounding to n Decimal Places
    • Calculate Query Costs by User and Repository in a Single Field
    • Format Values From Two Array Elements Using :
    • Extract the Top Most Viewed Pages of a Website
    • List URLs Not Found

Enter search term