Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support
help

Versions of this Page

  • Knowledge Base
    • Troubleshooting Articles
      • Troubleshooting: ANSI Escape Codes Trigger a Warning
      • Troubleshooting: Beats and Logstash Log Shippers 7.13 and higher No Longer Work with LogScale
      • Troubleshooting: Beats Fails to Send Logs due to Filename Issues
      • Troubleshooting: Build too Recent After Upgrade
      • Troubleshooting: Disks Filling Up
      • Troubleshooting: Elastic API Port numbers
      • Troubleshooting: Error Starting LogScale due to Exec permissions on /tmp
      • Troubleshooting: Error: The Cluster ID ### doesn't match stored clusterId (###)
      • Troubleshooting: Event Grid Flickering
      • Troubleshooting: IP Access for Actions or Notifiers
      • Troubleshooting: LogScale User Interface is Slow
      • Troubleshooting: MaxMind IP Location DB Not Updating
      • Troubleshooting: Menu Item Missing
      • Troubleshooting: Queries fail after Upgrading Beats Log Shippers
      • Troubleshooting: UI Warning: The actual value is different from what is displayed
      • Troubleshooting: Using Non-OSS Beats Elastic API Causes Errors
      • Troubleshooting: Whitelisting Four-letter Commands in ZooKeeper
    • Best Practice Articles
      • Best Practice: Add a count() to groupBy() results when using collect()
      • Best Practice: Add additional fields to groupBy() results
      • Best Practice: Adding comments in query syntax
      • Best Practice: Adding hyperlinks to search output
      • Best Practice: Aggregations using field list shortcuts
      • Best Practice: Choosing a Log Shipper
      • Best Practice: Comparing Repos and Views
      • Best Practice: Contacting Support
      • Best Practice: Create a fixed-width column using format()
      • Best Practice: Create a stacked bar chart over time
      • Best Practice: Creating dynamic text boxes in queries
      • Best Practice: Does it matter (for performance reasons) where a tagged field search occurs in a query?
      • Best Practice: Estimating Local Disk Threshold
      • Best Practice: Format query output using groupBy()
      • Best Practice: Formatting query output using select()
      • Best Practice: Get Markdown URLs to display as URLs instead of strings when using groupBy()
      • Best Practice: Leveraging saved queries as functions
      • Best Practice: Omit _decimal and _readable dangling modifiers
      • Best Practice: Optimizing string and regular expression (regex) search performance
      • Best Practice: Query Monitoring- Blocking and Termination
      • Best Practice: Regular Expressions (regex)
      • Best Practice: Regular Expressions and their Pitfalls
      • Best Practice: Remove decimal place from timestamp field and convert to human-readable time
      • Best Practice: Tab to complete queries
      • Best Practice: Tags and Datasources
      • Best Practice: Upgrading a LogScale Cluster
      • Best Practice: Using case statements
      • Best Practice: Using match statements
      • Best Practice: Using regular expressions for field extractions and matching
      • Best Practice: Using Tags in Queries
      • Best Practice: Using the assignment operator
      • Best Practice: Using widget visualizations
      • Best Practice: Watch out for the hashtag on #event_simpleName and #cid
    • How-To Articles
      • How-To: Add a Dynamic URL to Query Results
      • How-To: Add a single field to groupBy() results
      • How-To: Add ComputerName or UserName to Falcon search results
      • How-To: Add Lines to a Query
      • How-To: Add Users and Groups to a Repo using GraphQL
      • How-To: Assign or Create a Dynamic Field
      • How-To: Block Queries using GraphQL
      • How-To: Case-Insensitive Searches
      • How-To: Compare the Last 31-60 days to the Previous 30 Days
      • How-To: Configuring a Standalone Installation to Start at Boot
      • How-To: Create a Dashboard through GraphQL
      • How-To: Create a Scheduled Search using GraphQL
      • How-To: Create a shorthand process lineage in the field processLineage
      • How-To: Create case-insensitive user input
      • How-To: Deduplicating Compound Fields
      • How-To: Delete Data in Bulk
      • How-To: Determining Non-query Download of Bucket Segments
      • How-To: Downgrading LogScale Collector from Version 1.8.1 to 1.7.x
      • How-To: Exclude RFC1819 and Non-Routable IP Addresses
      • How-To: Executing Queries from Powershell and Bash
      • How-To: Export a List of Users
      • How-To: Get the first and last event of a groupBy() query
      • How-To: Getting unsupported fields for collect()
      • How-To: Handling Empty or Null Values
      • How-To: How to Configure CrowdStream LogScale Destination
      • How-To: Manage Users using GraphQL
      • How-To: Managing timestamps
      • How-To: Migrating from server.jar to Launcher Startup
      • How-To: Migrating Kafka to humio-core Deployment
      • How-To: O365 Event Ingest into LogScale via Microsoft Graph (using pre-defined CrowdStream O365 Activity/Services)
      • How-To: On Correlating Events
      • How-To: Parse Log Lines into Fields with Regex
      • How-To: Parse Unix Timestamps
      • How-To: Pass a groupBy() result to timechart()
      • How-To: Pass Two Averages to a Timechart
      • How-To: Redacting Data from a Repository
      • How-To: Reformat a JSON Array using parseJson()
      • How-To: Return More than 200 Matching Events in a Query
      • How-To: Round a Number by Two Decimal Places
      • How-To: Search for Domain Indicators of Compromise (IOC) Across a Data Set Using lower()
      • How-To: Search for IP Indicators of Compromise (IoC) Across a Data Set
      • How-To: Search for URL Indicators of Compromise (IoC) Across a Data Set
      • How-To: Sorting by Timestamps within groupBy()
      • How-To: Sorting Exported Data
      • How-To: Split a Single Event into Multiple Events
      • How-To: Stop Running Queries using GraphQL
      • How-To: Upgrading from Non-OSS to OSS Beats Log Shippers
      • How-To: Use Conditional Expressions
      • How-To: Using Tag Grouping
      • How-To: Write a query supporting a case-insensitive dashboard parameter?
    • Questions
      • FAQ: Are shared secret URLs safe?
      • FAQ: Can I run LogScale on IPv6-only, IPv4-only or both?
      • FAQ: Can I send multiline events to LogScale?
      • FAQ: Can I set the license key using the API?
      • FAQ: Can I use multiple files with match()
      • FAQ: Does LogScale integrate with any notification systems?
      • FAQ: Errors are raised when data is ingested with Timestamps in the Future
      • FAQ: File Locations for Key LogScale Data
      • FAQ: How are timezones handled when sharing queries with people in different timezones?
      • FAQ: How do I complete a regex() extraction without filtering data?
      • FAQ: How do I concatenate two fields into a new single field?
      • FAQ: How do I convert a decimal value to a hexadecimal value?
      • FAQ: How do I convert decimal values to hexadecimal values?
      • FAQ: How do I create concatenated, formatted fields?
      • FAQ: How do I detect when a host (log source) stops sending logs?
      • FAQ: How do I do a join() statement?
      • FAQ: How do I extract an IP Address from the CommandLine field?
      • FAQ: How do I format a number to two decimal places?
      • FAQ: How do I get dashboard widgets to respect the time range selection of the dashboard?
      • FAQ: How do I get GeoIP data for RDP user logins and place them on a World Map with magnitude?
      • FAQ: How do I get GeoIP data for the aip field?
      • FAQ: How do I interpret and format timestamps in a specific timezone?
      • FAQ: How do I omit RFC-1819 addresses from my search results?
      • FAQ: How do I place latitude and longitude on a world map?
      • FAQ: How do I query a single field for multiple values?
      • FAQ: How do I replace UserIsAdmin decimal values with human-readable values?
      • FAQ: How do I set a default field value?
      • FAQ: How do I trim the length of a field string?
      • FAQ: How do I use test() to do field evaluations?
      • FAQ: How do time zones work in LogScale?
      • FAQ: How Does LogScale Handle Ingest Delays in Aggregate Alerts
      • FAQ: How is LogScale Responding to the Log4j Log4Shell Vulnerability
      • FAQ: Input Locked to Search Field when using Tab
      • FAQ: Is LogScale cloud only, or is it possible to use LogScale as a self-cloud solution?
      • FAQ: Is LogScale container ready?
      • FAQ: Organization Transfer
      • FAQ: Understanding LogScale Log Error Levels
      • FAQ: Understanding the Query State Size
      • FAQ: Using LOCAL_STORAGE_PERCENTAGE Disk Fills Past Configured Limit
      • FAQ: Version Upgrade Compatibility
      • FAQ: What are the effects of changing the settings of a throttled alert
      • FAQ: What common log shipping solutions does LogScale use?
      • FAQ: What is the difference between syslog and rsyslog?
      • FAQ: What is the Query Cache?
      • FAQ: What is timezone=Z
      • FAQ: Why does my Bucket Storage Size indicate larger value than LogScale UI
      • FAQ: Why not make a separate user for wall monitors?
    • Use Cases
      • Use Case: A Better Parser with Kubernetes & LogScale
      • Use Case: Advanced Log Routing with Fluent Bit
      • Use Case: Collecting AWS S3 Logs with LogScale & FluentD
      • Use Case: Comparing Averages over Search Intervals
      • Use Case: Hashing, Masking, and Anonymizing Sensitive Data
      • Use Case: Ingesting Application Logs
      • Use Case: Integrating LogScale with Grafana
      • Use Case: Log Management
      • Use Case: Migrating from Elastic Stack
      • Use Case: Migrating from Helm Chart to Operator
      • Use Case: Running LogScale on Kubernetes
      • Use Case: SentinelOne Audit Events
      • Use Case: Webhooks Shell Scripts
Falcon LogScale Documentation
/ Knowledge Base
/ How-To Articles
Reading time: 2 minutes

How-To: Create a Scheduled Search using GraphQL

You can create a scheduled search using the mutation createScheduledSearch() .

This mutation requires a long list of input parameters, for some of them it worth it to specify their meaning and format:

  • viewName: it is the name of an existing view/repository

  • queryString: it's the LogScale query you want to schedule, in this example is a simple count() function, but it could be a complex query

  • queryStart: start of the relative time interval for the query (for details about the format check Relative Time Syntax)

  • queryEnd: end of the relative time interval for the query (for details about the format check Relative Time Syntax)

  • schedule: Cron pattern describing the schedule to execute the query on

  • timeZone: Time zone of the schedule, it only supports UTC offsets like 'UTC', 'UTC-01' or 'UTC+12:45'

  • backfillLimit: User-defined limit, which caps the number of missed searches to backfill

  • enabled: boolean to enable/disable the scheduled search

  • actions: Array of action IDs to fire on the query result

  • labels: Labels attached to the scheduled search

To create a search:

javascript
mutation{
  createScheduledSearch(input:{
    viewName: "<REPO_NAME>",
    name: "<SCHEDULED_SEARCH_NAME>",
    description: "Description for the scheduled search",
    queryString: "count()",
    queryStart: "26h",
    queryEnd: "2h",
    schedule: "0 2 * * *",
    timeZone: "UTC-04:00",
    backfillLimit: 0,
    enabled: true,
    actions: ["<ACTION_ID>"],
    labels: []
  }) {
    name
  }
}

To get the action IDs for a specific repository, you can use this query:

graphql
query {
  repository(name: "<REPO_NAME>") {
    name
    alerts {
      name
      actions
    }
  }
}

Here's an example using curl:

shell
$ curl -v -XPOST -H "Content-Type:application/json" http://localhost:8080/graphql -d \
   '{"query": "mutation{createScheduledSearch(input:{viewName:\"<REPO_NAME>\", \
   name: \"<SCHEDULED_SEARCH_NAME>\",description: \"Description for the scheduled search\", \
   queryString: \"count()\",queryStart: \"26h\", queryEnd: \"2h\", schedule: \"0 2 * * *\", \
   timeZone: \"UTC-04:00\",backfillLimit: 0, enabled: true, actions: [\"<ACTION_ID>\"], labels: []}){name}}"}'

This is an example of cURL call on a self-hosted instance of LogScale. You can also run it against the public LogScale hostname using an actual user API token (which is obtained from the Your Account area from the menu on the right in the header).

Support
  • Twitter
  • Facebook
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

Other articles on this topic

How-To Articles

Enter search term