Skip to content
LogoLogScale DocumentationFull Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL APISearch Archives Contacting Support
Help button for documentation
  • Knowledge Base
    • Troubleshooting Articles
      • Troubleshooting: LogScale User Interface is Slow
      • Troubleshooting: ANSI Escape Codes Trigger a Warning
      • Troubleshooting: Beats and Logstash Log Shippers 7.13 and higher No Longer Work with LogScale
      • Troubleshooting: Beats Fails to Send Logs due to Filename Issues
      • Troubleshooting: Build too Recent After Upgrade
      • Troubleshooting: Disks Filling Up
      • Troubleshooting: Elastic API Port numbers
      • Troubleshooting: Error Starting LogScale due to Exec permissions on /tmp
      • Troubleshooting: Error: The Cluster ID ### doesn't match stored clusterId (###)
      • Troubleshooting: Event Grid Flickering
      • Troubleshooting: IP Access for Actions or Notifiers
      • Troubleshooting: MaxMind IP Location DB Not Updating
      • Troubleshooting: Menu Item Missing
      • Troubleshooting: Queries fail after Upgrading Beats Log Shippers
      • Troubleshooting: UI Warning: The actual value is different from what is displayed
      • Troubleshooting: Using Non-OSS Beats Elastic API Causes Errors
      • Troubleshooting: Whitelisting Four-letter Commands in ZooKeeper
    • Best Practice Articles
      • Best Practice: Add a count() to groupBy() results when using collect()
      • Best Practice: Add additional fields to groupBy() results
      • Best Practice: Adding comments in query syntax
      • Best Practice: Adding hyperlinks to search output
      • Best Practice: Aggregations using field list shortcuts
      • Best Practice: Choosing a Log Shipper
      • Best Practice: Comparing Repos and Views
      • Best Practice: Contacting Support
      • Best Practice: Create a fixed-width column using format()
      • Best Practice: Create a stacked bar chart over time
      • Best Practice: Creating dynamic text boxes in queries
      • Best Practice: Estimating Local Disk Threshold
      • Best Practice: Format query output using groupBy()
      • Best Practice: Formatting query output using select()
      • Best Practice: Get Markdown URLs to display as URLs instead of strings when using groupBy()
      • Best Practice: How to write a query that allows export to CSV in a multi-cluster view
      • Best Practice: Leveraging saved queries as functions
      • Best Practice: Log Collector Resiliency and Monitoring
      • Best Practice: Omit _decimal and _readable dangling modifiers
      • Best Practice: Optimizing string and regular expression (regex) search performance
      • Best Practice: Query Monitoring- Blocking and Termination
      • Best Practice: Regular Expressions (regex)
      • Best Practice: Regular Expressions and their Pitfalls
      • Best Practice: Remove decimal place from timestamp field and convert to human-readable time
      • Best Practice: Tab to complete queries
      • Best Practice: Tags and Datasources
      • Best Practice: Upgrading a LogScale Cluster
      • Best Practice: Using case statements
      • Best Practice: Using match statements
      • Best Practice: Using regular expressions for field extractions and matching
      • Best Practice: Using Tags in Queries
      • Best Practice: Using the assignment operator
      • Best Practice: Using widget visualizations
      • Best Practice: Watch out for the hashtag on #event_simpleName and #cid
    • How-To Articles
      • How-To: Add a Dynamic URL to Query Results
      • How-To: Add a single field to groupBy() results
      • How-To: Add ComputerName or UserName to Falcon search results
      • How-To: Add Lines to a Query
      • How-To: Add Users and Groups to a Repo using GraphQL
      • How-To: Assign or Create a Dynamic Field
      • How-To: Block Queries using GraphQL
      • How-To: Case-Insensitive Searches
      • How-To: Compare the Last 31-60 days to the Previous 30 Days
      • How-To: Configuring a Standalone Installation to Start at Boot
      • How-To: Create a Dashboard through GraphQL
      • How-To: Create a Scheduled Search using GraphQL
      • How-To: Create a shorthand process lineage in the field processLineage
      • How-To: Create case-insensitive user input
      • How-To: Deduplicating Compound Fields
      • How-To: Delete Data in Bulk
      • How-To: Deploy LogScale with Operator on Google Cloud Platform (GCP)
      • How-To: Deploy AWS Reference Architecture
      • How-To: Determining Non-query Download of Bucket Segments
      • How-To: Downgrading LogScale Collector from Version 1.8.1 to 1.7.x
      • How-To: Edit schedule and timestamp in scheduled searches
      • How-To: Exclude RFC1918 and Non-Routable IP Addresses
      • How-To: Executing Queries from Powershell and Bash
      • How-To: Export a List of Users
      • How-To: Filtering on Multiple Timestamps
      • How-To: Get the first and last event of a groupBy() query
      • How-To: Getting unsupported fields for collect()
      • How-To: Handling Empty or Null Values
      • How-To: How to Compare and Alert Historical Ingest
      • How-To: How to Configure CrowdStream LogScale Destination
      • How-To: Install Kubernetes Reference Architecture
      • How-To: Manage Users using GraphQL
      • How-To: Managing timestamps
      • How-To: Migrating from Secondary to Bucket Storage
      • How-To: Migrating from server.jar to Launcher Startup
      • How-To: Migrating Kafka to humio-core Deployment
      • How-To: Navigate the New LogScale Search Interface in Version 1.228
      • How-To: O365 Event Ingest into LogScale via Microsoft Graph (using pre-defined CrowdStream O365 Activity/Services)
      • How-To: On Correlating Events
      • How-To: Parse Log Lines into Fields with Regex
      • How-To: Parse Unix Timestamps
      • How-To: Pass a groupBy() result to timechart()
      • How-To: Pass Two Averages to a Timechart
      • How-To: Reassemble a UDP Syslog Event
      • How-To: Redacting Data from a Repository
      • How-To: Reformat a JSON Array using parseJson()
      • How-To: Return More than 200 Matching Events in a Query
      • How-To: Round a Number by Two Decimal Places
      • How-To: Search for Domain Indicators of Compromise (IOC) Across a Data Set Using lower()
      • How-To: Search for IP Indicators of Compromise (IoC) Across a Data Set
      • How-To: Search for URL Indicators of Compromise (IoC) Across a Data Set
      • How-To: Set Up a LogScale Cluster Using Humio Operator
      • How-To: Sorting by Timestamps within groupBy()
      • How-To: Sorting Exported Data
      • How-To: Split a Single Event into Multiple Events
      • How-To: Stop Running Queries using GraphQL
      • How-To: Upgrading from Non-OSS to OSS Beats Log Shippers
      • How-To: Use Conditional Expressions
      • How-To: Using Tag Grouping
      • How-To: Using, Combining, and Building Aggregators
      • How-To: Write a query supporting a case-insensitive dashboard parameter
    • Questions
      • FAQ: Are shared secret URLs safe?
      • FAQ: Can I run LogScale on IPv6-only, IPv4-only or both?
      • FAQ: Can I send multiline events to LogScale?
      • FAQ: Can I set the license key using the API?
      • FAQ: Can I use multiple files with match()
      • FAQ: Does LogScale integrate with any notification systems?
      • FAQ: Does LogScale support gzip compressed data?
      • FAQ: Does LogScale Support HTTP Strict Transport Security (HSTS)
      • FAQ: Does it matter where a tagged field search occurs in a query?
      • FAQ: Errors are raised when data is ingested with Timestamps in the Future
      • FAQ: File Locations for Key LogScale Data
      • FAQ: How are timezones handled when sharing queries with people in different timezones?
      • FAQ: How do I complete a regex() extraction without filtering data?
      • FAQ: How do I concatenate two fields into a new single field?
      • FAQ: How do I convert a decimal value to a hexadecimal value?
      • FAQ: How do I convert decimal values to hexadecimal values?
      • FAQ: How do I create concatenated, formatted fields?
      • FAQ: How do I detect when a host (log source) stops sending logs?
      • FAQ: How do I do a join() statement?
      • FAQ: How do I extract an IP Address from the CommandLine field?
      • FAQ: How do I format a number to two decimal places?
      • FAQ: How do I get dashboard widgets to respect the time range selection of the dashboard?
      • FAQ: How do I get Fluent Bit compressed logs into LogScale?
      • FAQ: How do I get GeoIP data for RDP user logins and place them on a World Map with magnitude?
      • FAQ: How do I get GeoIP data for the aip field?
      • FAQ: How do I interpret and format timestamps in a specific timezone?
      • FAQ: How do I omit RFC-1918 addresses from my search results?
      • FAQ: How do I place latitude and longitude on a world map?
      • FAQ: How do I query a single field for multiple values?
      • FAQ: How do I replace UserIsAdmin decimal values with human-readable values?
      • FAQ: How do I set a default field value?
      • FAQ: How do I trim the length of a field string?
      • FAQ: How do I use test() to do field evaluations?
      • FAQ: How do time zones work in LogScale?
      • FAQ: How is LogScale Responding to the Log4j Log4Shell Vulnerability
      • FAQ: How to handle ingest delays in aggregate alerts and scheduled searches
      • FAQ: Input Locked to Search Field when using Tab
      • FAQ: Is LogScale cloud only, or is it possible to use LogScale as a self-cloud solution?
      • FAQ: Is LogScale container ready?
      • FAQ: Organization Transfer
      • FAQ: Understanding LogScale Log Error Levels
      • FAQ: Understanding the Query State Size
      • FAQ: Using LOCAL_STORAGE_PERCENTAGE Disk Fills Past Configured Limit
      • FAQ: Version Upgrade Compatibility
      • FAQ: What are the effects of changing the settings of a throttled alert
      • FAQ: What common log shipping solutions does LogScale use?
      • FAQ: What is the difference between syslog and rsyslog?
      • FAQ: What is the Query Cache?
      • FAQ: What is timezone=Z
      • FAQ: What timezones are shown for timestamps in LogScale?
      • FAQ: Why does my Bucket Storage Size indicate larger value than LogScale UI
      • FAQ: Why not make a separate user for wall monitors?
    • Use Cases
      • Use Case: Advanced Log Routing with Fluent Bit
      • Use Case: Collecting AWS S3 Logs with LogScale & FluentD
      • Use Case: Comparing Averages over Search Intervals
      • Use Case: Hashing, Masking, and Anonymizing Sensitive Data
      • Use Case: Ingesting Application Logs
      • Use Case: Integrating LogScale with Grafana
      • Use Case: Log Management
      • Use Case: Migrating from Elastic Stack
      • Use Case: Migrating from Helm Chart to Operator
      • Use Case: Running LogScale on Kubernetes
      • Use Case: SentinelOne Audit Events
      • Use Case: Webhooks Shell Scripts
Falcon LogScale Documentation
/ Knowledge Base
/ How-To Articles
Page was created:Mar 18, 2026

How-To: Navigate the New LogScale Search Interface in Version 1.228

LogScale has introduced updates to the web user interface for the search experience in version 1.228. This new layout aims to provide a more intuitive and efficient search workflow.

This article compares previous and new versions of the search interface and highlights the key changes and new features.

In short:

  • New Query editor

  • New button for adding more data

  • New location of the style/format icon

  • New tabbing layout for output display

  • New Widget selector

What's new in the Query Editor

The Query editor supports new functionalities for a better search and data analysis experience. In particular, features like code folding, auto-indentation, pre-built code snippets or visual feedback on errors can support you in writing and refining complex queries as you type.

See Query Editor for more information.

How to add more data

The Sample more button replaces the Fetch more button. The new button can now display up to 5,000 sample event fields.

Previous LayoutCurrent Layout
UI button to add more data in previous search interface
UI button to add more data in new search interface

See Display Fields for more information on this panel.

How to format events and field columns

The style icon that opens the Format panel is now located on top of the event list.

Previous LayoutCurrent Layout
Previous Format Panel access
Previous Format Panel dialog
Current Format Panel access

Where to find output data

The Search page presents renamed tabs to display results and events according to the query used. See some of them in this table, refer to Display tabs for more.

Previous LayoutCurrent Layout
Previous layout of the Event List
Current layout of the Event List
Previous layout of the Results tab
Current layout of the Auto tab

The Tool panel has also slightly changed: some displays options like Manage interactions or Filter match highlighting are now accessible via a three-dot menu ⋮:

Previous LayoutCurrent Layout
Previous layout of the Tool panel
Current layout of the Tool panel

How to change data visualization

The Widget selector dropdown menu is now available as a new tab at the same level of the event list (it was previously positioned at the top of the Query editor).

Additionally, the Widget selector now provides descriptions of the different widgets, to help you choose the best visualization for your data.

Previous LayoutCurrent Layout
Previous layout of the Widget selector
Current layout of the Widget selector
Support
  • Twitter
  • LinkedIn
  • Youtube

© 2025 CrowdStrike All other marks contained herein are the property of their respective owners.

Sections on this Page

What's new in the Query Editor
How to add more data
How to format events and field columns
Where to find output data
How to change data visualization

  • Other articles on this topic

    • How-To Articles
    • Recent How-To Articles
    • Recent KB Articles
    • Search Data

Enter search term