Best Practice: Creating dynamic text boxes in queries

A unique feature of LogScale is the ability to include text boxes in query syntax that are editable. When combined with a saved query, text boxes become a quick and easy way to reuse queries when the target of a search changes but the query needs to stay the same, like usernames, hostnames, etc.

Here's an example:

shell
// Get all DNS Request events
//
#event_simpleName=DnsRequest
//
// Use regex to determine top level domain
//
| DomainName=/\.?(?<topLevelDomain>\w+\.\w+$)/i
//
// Create a search box for top level domain
//
| topLevelDomain=?topLevelDomain
//
// Count number of domain variations by top level domain
//
| groupBy(topLevelDomain, function=(count(DomainName, distinct=true, as=domainVariations)))

As you can see, there is now an editable text box that will modify the search. It will default to a wild card, but analysts can enter criteria here to modify the search dynamically.

Example of a dynamic search box

Multiple dynamic search boxes can be added to queries as desired. The format is:

shell
FieldToSearch=?nameOfTextBox

Note

nameOfTextBox can be changed to any string, but can't include spaces in this view. They can be edited in the Dashboards section of LogScale.