Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support
help

Versions of this Page

  • Knowledge Base
    • Troubleshooting Articles
      • Troubleshooting: ANSI Escape Codes Trigger a Warning
      • Troubleshooting: Beats and Logstash Log Shippers 7.13 and higher No Longer Work with LogScale
      • Troubleshooting: Beats Fails to Send Logs due to Filename Issues
      • Troubleshooting: Build too Recent After Upgrade
      • Troubleshooting: Disks Filling Up
      • Troubleshooting: Elastic API Port numbers
      • Troubleshooting: Error Starting LogScale due to Exec permissions on /tmp
      • Troubleshooting: Error: The Cluster ID ### doesn't match stored clusterId (###)
      • Troubleshooting: Event Grid Flickering
      • Troubleshooting: IP Access for Actions or Notifiers
      • Troubleshooting: LogScale User Interface is Slow
      • Troubleshooting: MaxMind IP Location DB Not Updating
      • Troubleshooting: Menu Item Missing
      • Troubleshooting: Queries fail after Upgrading Beats Log Shippers
      • Troubleshooting: UI Warning: The actual value is different from what is displayed
      • Troubleshooting: Using Non-OSS Beats Elastic API Causes Errors
      • Troubleshooting: Whitelisting Four-letter Commands in ZooKeeper
    • Best Practice Articles
      • Best Practice: Add a count() to groupBy() results when using collect()
      • Best Practice: Add additional fields to groupBy() results
      • Best Practice: Adding comments in query syntax
      • Best Practice: Adding hyperlinks to search output
      • Best Practice: Aggregations using field list shortcuts
      • Best Practice: Choosing a Log Shipper
      • Best Practice: Comparing Repos and Views
      • Best Practice: Contacting Support
      • Best Practice: Create a fixed-width column using format()
      • Best Practice: Create a stacked bar chart over time
      • Best Practice: Creating dynamic text boxes in queries
      • Best Practice: Does it matter (for performance reasons) where a tagged field search occurs in a query?
      • Best Practice: Estimating Local Disk Threshold
      • Best Practice: Format query output using groupBy()
      • Best Practice: Formatting query output using select()
      • Best Practice: Get Markdown URLs to display as URLs instead of strings when using groupBy()
      • Best Practice: Leveraging saved queries as functions
      • Best Practice: Omit _decimal and _readable dangling modifiers
      • Best Practice: Optimizing string and regular expression (regex) search performance
      • Best Practice: Query Monitoring- Blocking and Termination
      • Best Practice: Regular Expressions (regex)
      • Best Practice: Regular Expressions and their Pitfalls
      • Best Practice: Remove decimal place from timestamp field and convert to human-readable time
      • Best Practice: Tab to complete queries
      • Best Practice: Tags and Datasources
      • Best Practice: Upgrading a LogScale Cluster
      • Best Practice: Using case statements
      • Best Practice: Using match statements
      • Best Practice: Using regular expressions for field extractions and matching
      • Best Practice: Using Tags in Queries
      • Best Practice: Using the assignment operator
      • Best Practice: Using widget visualizations
      • Best Practice: Watch out for the hashtag on #event_simpleName and #cid
    • How-To Articles
      • How-To: Add a Dynamic URL to Query Results
      • How-To: Add a single field to groupBy() results
      • How-To: Add ComputerName or UserName to Falcon search results
      • How-To: Add Lines to a Query
      • How-To: Add Users and Groups to a Repo using GraphQL
      • How-To: Assign or Create a Dynamic Field
      • How-To: Block Queries using GraphQL
      • How-To: Case-Insensitive Searches
      • How-To: Compare the Last 31-60 days to the Previous 30 Days
      • How-To: Configuring a Standalone Installation to Start at Boot
      • How-To: Create a Dashboard through GraphQL
      • How-To: Create a Scheduled Search using GraphQL
      • How-To: Create a shorthand process lineage in the field processLineage
      • How-To: Create case-insensitive user input
      • How-To: Deduplicating Compound Fields
      • How-To: Delete Data in Bulk
      • How-To: Determining Non-query Download of Bucket Segments
      • How-To: Downgrading LogScale Collector from Version 1.8.1 to 1.7.x
      • How-To: Exclude RFC1819 and Non-Routable IP Addresses
      • How-To: Executing Queries from Powershell and Bash
      • How-To: Export a List of Users
      • How-To: Get the first and last event of a groupBy() query
      • How-To: Getting unsupported fields for collect()
      • How-To: Handling Empty or Null Values
      • How-To: How to Configure CrowdStream LogScale Destination
      • How-To: Manage Users using GraphQL
      • How-To: Managing timestamps
      • How-To: Migrating from server.jar to Launcher Startup
      • How-To: Migrating Kafka to humio-core Deployment
      • How-To: O365 Event Ingest into LogScale via Microsoft Graph (using pre-defined CrowdStream O365 Activity/Services)
      • How-To: On Correlating Events
      • How-To: Parse Log Lines into Fields with Regex
      • How-To: Parse Unix Timestamps
      • How-To: Pass a groupBy() result to timechart()
      • How-To: Pass Two Averages to a Timechart
      • How-To: Redacting Data from a Repository
      • How-To: Reformat a JSON Array using parseJson()
      • How-To: Return More than 200 Matching Events in a Query
      • How-To: Round a Number by Two Decimal Places
      • How-To: Search for Domain Indicators of Compromise (IOC) Across a Data Set Using lower()
      • How-To: Search for IP Indicators of Compromise (IoC) Across a Data Set
      • How-To: Search for URL Indicators of Compromise (IoC) Across a Data Set
      • How-To: Sorting by Timestamps within groupBy()
      • How-To: Sorting Exported Data
      • How-To: Split a Single Event into Multiple Events
      • How-To: Stop Running Queries using GraphQL
      • How-To: Upgrading from Non-OSS to OSS Beats Log Shippers
      • How-To: Use Conditional Expressions
      • How-To: Using Tag Grouping
      • How-To: Write a query supporting a case-insensitive dashboard parameter?
    • Questions
      • FAQ: Are shared secret URLs safe?
      • FAQ: Can I run LogScale on IPv6-only, IPv4-only or both?
      • FAQ: Can I send multiline events to LogScale?
      • FAQ: Can I set the license key using the API?
      • FAQ: Can I use multiple files with match()
      • FAQ: Does LogScale integrate with any notification systems?
      • FAQ: Errors are raised when data is ingested with Timestamps in the Future
      • FAQ: File Locations for Key LogScale Data
      • FAQ: How are timezones handled when sharing queries with people in different timezones?
      • FAQ: How do I complete a regex() extraction without filtering data?
      • FAQ: How do I concatenate two fields into a new single field?
      • FAQ: How do I convert a decimal value to a hexadecimal value?
      • FAQ: How do I convert decimal values to hexadecimal values?
      • FAQ: How do I create concatenated, formatted fields?
      • FAQ: How do I detect when a host (log source) stops sending logs?
      • FAQ: How do I do a join() statement?
      • FAQ: How do I extract an IP Address from the CommandLine field?
      • FAQ: How do I format a number to two decimal places?
      • FAQ: How do I get dashboard widgets to respect the time range selection of the dashboard?
      • FAQ: How do I get GeoIP data for RDP user logins and place them on a World Map with magnitude?
      • FAQ: How do I get GeoIP data for the aip field?
      • FAQ: How do I interpret and format timestamps in a specific timezone?
      • FAQ: How do I omit RFC-1819 addresses from my search results?
      • FAQ: How do I place latitude and longitude on a world map?
      • FAQ: How do I query a single field for multiple values?
      • FAQ: How do I replace UserIsAdmin decimal values with human-readable values?
      • FAQ: How do I set a default field value?
      • FAQ: How do I trim the length of a field string?
      • FAQ: How do I use test() to do field evaluations?
      • FAQ: How do time zones work in LogScale?
      • FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts
      • FAQ: How is LogScale Responding to the Log4j Log4Shell Vulnerability
      • FAQ: Input Locked to Search Field when using Tab
      • FAQ: Is LogScale cloud only, or is it possible to use LogScale as a self-cloud solution?
      • FAQ: Is LogScale container ready?
      • FAQ: Organization Transfer
      • FAQ: Understanding LogScale Log Error Levels
      • FAQ: Understanding the Query State Size
      • FAQ: Using LOCAL_STORAGE_PERCENTAGE Disk Fills Past Configured Limit
      • FAQ: Version Upgrade Compatibility
      • FAQ: What are the effects of changing the settings of a throttled alert
      • FAQ: What common log shipping solutions does LogScale use?
      • FAQ: What is the difference between syslog and rsyslog?
      • FAQ: What is the Query Cache?
      • FAQ: What is timezone=Z
      • FAQ: Why does my Bucket Storage Size indicate larger value than LogScale UI
      • FAQ: Why not make a separate user for wall monitors?
    • Use Cases
      • Use Case: A Better Parser with Kubernetes & LogScale
      • Use Case: Advanced Log Routing with Fluent Bit
      • Use Case: Collecting AWS S3 Logs with LogScale & FluentD
      • Use Case: Comparing Averages over Search Intervals
      • Use Case: Hashing, Masking, and Anonymizing Sensitive Data
      • Use Case: Ingesting Application Logs
      • Use Case: Integrating LogScale with Grafana
      • Use Case: Log Management
      • Use Case: Migrating from Elastic Stack
      • Use Case: Migrating from Helm Chart to Operator
      • Use Case: Running LogScale on Kubernetes
      • Use Case: SentinelOne Audit Events
      • Use Case: Webhooks Shell Scripts
Falcon LogScale Documentation
/ Knowledge Base
/ Best Practice Articles
Reading time: 2 minutes

Best Practice: Adding hyperlinks to search output

When creating dashboards or saved searches, the ability to create hyperlinks using fields from the search results can be useful. To accomplish this, we can use the format() function.

Let's say we want to:

  • Search for executable files written to a system's Downloads folder

  • Create a list, and

  • Include a hyperlink to CrowdStrike's VirusTotal and Hybrid Analysis tools.

First we need to obtain the data and do some simple regex extractions:

logscale
#event_simpleName=PeFileWritten
| TargetFileName=/\\Downloads\\/
| TargetFileName=/(?<FilePath>.+\\)(?<FileName>.+$)/i

Now, we'll use the format() function to create hyperlinks and organize using groupBy():

logscale
#event_simpleName=PeFileWritten
| TargetFileName=/\\Downloads\\/
| TargetFileName=/(?<FilePath>.+\\)(?<FileName>.+$)/i
// Virus Total
| format("[Virus Total](https://www.virustotal.com/gui/file/%s)", field=[SHA256HashData], as="VT")
// Hybrid Analysis
| format("[Hybrid Analysis](https://www.hybrid-analysis.com/search?query=%s)", field=[SHA256HashData], as="HA")
| groupBy([aid, FileName], function=collect([FileName, FilePath, VT, HA]))
Example of adding hyperlinks to search output

Now clicking the VirusTotal or Hybrid Analysis links will direct you to the appropriate website with the data included for SHA256.

This is known colloquially as dorking, meaning the URL format for VirusTotal and Hybrid Analysis is known- if we create a URL and include data from our search results, we can hard link to external information. For Hybrid Analysis the format of the URL is:

url
www.hybrid-analysis.com/search?query=SHA256VALUE

The section after the question mark is dynamic - but we have the SHA256 value or the relevant files in our query results. So using format(), we can dork this hyperlink:

logscale Syntax
| format("[Hybrid Analysis](https://www.hybrid-analysis.com/search?query=%s)", field=[SHA256HashData], as="HA")

The text between the braces (here it's [Hybrid Analysis]) is what the hyperlink will be titled. The text in the as statement will be the column title in the aggregate output. This link could be used any time there's a SHA256 value in LogScale.

You could also use an Agent ID value to make a one-click RTR link:

logscale Syntax
// RTR
| format("[RTR Link](https://falcon.crowdstrike.com/
activity/real-time-response/console?start=hosts&aid=%s=f)", field=[aid], as="RTR")

Clicking this link will initiate an RTR session for the aid associated with the event.

Example of adding hyperlinks to search output

If you're using other third-party or internal tooling/resources, be sure to check if the associated URLs are standardized and 'workable'.

Support
  • Twitter
  • Facebook
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

Other articles on this topic

Best Practice Articles
Recent Best Practice Articles
format()
round()
groupBy()
select()

Related KB Articles

Best Practice: Add a count() to groupBy() results when using collect()
How-To: Add a single field to groupBy() results
Best Practice: Add additional fields to groupBy() results
How-To: Compare the Last 31-60 days to the Previous 30 Days
FAQ: How do I convert a decimal value to a hexadecimal value?
FAQ: How do I convert decimal values to hexadecimal values?
FAQ: How do I create concatenated, formatted fields?
Best Practice: Create a fixed-width column using format()
Best Practice: Create a stacked bar chart over time
Use Case: Hashing, Masking, and Anonymizing Sensitive Data
How-To: Deduplicating Compound Fields
Best Practice: Creating dynamic text boxes in queries
How-To: Add a Dynamic URL to Query Results
How-To: Handling Empty or Null Values
FAQ: How do I format a number to two decimal places?
Best Practice: Format query output using groupBy()
How-To: Get the first and last event of a groupBy() query
How-To: Sorting by Timestamps within groupBy()
FAQ: How do I detect when a host (log source) stops sending logs?
Best Practice: Get Markdown URLs to display as URLs instead of strings when using groupBy()
How-To: Pass a groupBy() result to timechart()
Best Practice: Using regular expressions for field extractions and matching
How-To: Create a shorthand process lineage in the field processLineage
FAQ: How do I use test() to do field evaluations?
FAQ: How do I trim the length of a field string?
Best Practice: Using widget visualizations

Enter search term