Best Practice: Watch out for the hashtag on #event_simpleName and #cid

LogScale has the ability to apply tags to fields. By doing so, LogScale allows you to quickly and efficiently organize, include, and exclude large collections of events as you search. Applying tags to raw telemetry is completed for you by the parser when dealing with Falcon Long Term Repository (LTR) data.

Two very important fields, event_simpleName and cid, are tagged in LogScale. Because of this, when you specify an event_simpleName or cid value in LogScale syntax, you need to put a # (hash or pound) in front of that field.

#event_simpleName=ProcessRollup2 #cid=123456789012345678901234

If you forget, or want to know what other fields are tagged, you can see what fields are tagged in the LogScale sidebar: