Best Practice: Adding comments in query syntax

Adding comments to your syntax is a great way to facilitate knowledge transfer and make query triage much easier. The CrowdStrike Query Language (CQL) supports // single-line and /* multi-line */ comments.

To add single-line comments to a query in-line, type two forward slashes in the LogScale query editor. The comment will be highlighted in green. You can add as many comments as you'd like- here is a quick example:

// Get all ProcessRollup2 events
#event_simpleName=ProcessRollup2
// Search for system User SID
| UserSid="S-1-5-18"
// Count total executions
| count(aid, as=totalExecutions)

The above code block will result in:

Multi-line comments are useful to provide a deeper description or documentation for a search. Here is a quick example of using multi-line comments:

logscale

/* Search for killed processes
   Set the <signal> type and <process> name */
?{signal="*" }
| ?{process="*"}
| /Service exited due to (?<signal>\S+)/
| signal = ?signal
| /sent by (?<process>\S+)\[\d+\]/
| process = ?process

Knowledge Base

Best Practice: Adding comments in query syntax

Enter search term