LogScale gives you the ability to save queries for fast and easy use- this also provides you with the ability to use saved queries as functions in new queries.

Saved queries can be complete queries with formatted output, or just parts of queries that you wish to invoke as functions. The options are both flexible and powerful!

Let's look at an example from the knowledge base article Best Practice: Using case statements:

| case {
    UserIsAdmin=1 | UserIsAdmin_Readable := "True" ;
    UserIsAdmin=0 | UserIsAdmin_Readable := "False" ;
    * ;
  }

We can run that case statement by itself, then save it as a Saved Query with the name ConvertUserIsAdmin.

We can then invoke it as part of another query:

#event_simpleName=UserLogon event_platform=Win
| $ConvertUserIsAdmin()
| select([aid, UserName, UserSid, UserIsAdmin, UserIsAdmin_Readable])