Logscale Query Language: Cheatsheet

LogScale Query Language (LQL)

This cheat sheet provides quick reference examples for SOC analysts using LogScale, with a fun twist using coffee-related queries. It’s designed to help you filter through events and explore data efficiently.

Cheers ☕

Basic Query Structure

  • Implicit AND: Espresso MachineError
  • Explicit AND: Espresso AND WaterLeak
  • OR: Latte OR Cappuccino
  • NOT: NOT Decaf

Free-Text Filters

Search for strings across all fields, excluding special fields like @id, @timestamp, etc.

  • Single Word: Espresso
  • Phrase: "Coffee Grind Size"
  • Regular Expression: /milk.*foam/
  • Case-Insensitive Regex: /cappuccino/i

Field Filters

Target specific event fields for text or numbers.

  • Contains: MachineType = *Espresso*
  • Exact Match: Beverage = "Flat White"
  • Not Equal: Status != "Error"
  • Exists: CoffeeBrand = *
  • Does Not Exist: MaintenanceRecord != *

Regular Expression Filters

Use regular expressions for pattern matching in specific fields or across all fields.

  • Field-Specific Regex: ErrorDetails = /temperature.*high/
  • Global Regex Search: /decaf espresso/

Logical Operators

Combine filters to refine searches.

  • AND Combination: MachineType = Espresso AND Error = true
  • OR Combination: Beverage = "Americano" OR Beverage = "Espresso"
  • NOT Exclusion: NOT Beverage = "Decaf"
  • Grouping: (Beverage = "Latte" OR Beverage = "Cappuccino") AND Temperature > 65

Special Queries

  • Event Name Filter: #event_simpleName = "CoffeeOrder"
  • Specific IP and Event: IPAddress = "" AND #event_simpleName = "MaintenanceScheduled"
  • Time Range: @timestamp > "2024-02-01T00:00:00Z" AND @timestamp < "2024-02-28T23:59:59Z"

Negating Filter Functions

  • Exclude Specific Subnet: !cidr(ip, subnet="")
  • Exclude Specific Values: !in(Beverage, values=["Decaf", "Instant"])

Remember, this cheat sheet is a quick reference guide. For more complex queries and functions, refer to the detailed LogScale documentation.