LogScale Query Language (LQL)
This cheat sheet provides quick reference examples for SOC analysts using LogScale, with a fun twist using coffee-related queries. It’s designed to help you filter through events and explore data efficiently.
Cheers ☕
Basic Query Structure
- Implicit AND:
Espresso MachineError
- Explicit AND:
Espresso AND WaterLeak
- OR:
Latte OR Cappuccino
- NOT:
NOT Decaf
Free-Text Filters
Search for strings across all fields, excluding special fields like @id
, @timestamp
, etc.
- Single Word:
Espresso
- Phrase:
"Coffee Grind Size"
- Regular Expression:
/milk.*foam/
- Case-Insensitive Regex:
/cappuccino/i
Field Filters
Target specific event fields for text or numbers.
- Contains:
MachineType = *Espresso*
- Exact Match:
Beverage = "Flat White"
- Not Equal:
Status != "Error"
- Exists:
CoffeeBrand = *
- Does Not Exist:
MaintenanceRecord != *
Regular Expression Filters
Use regular expressions for pattern matching in specific fields or across all fields.
- Field-Specific Regex:
ErrorDetails = /temperature.*high/
- Global Regex Search:
/decaf espresso/
Logical Operators
Combine filters to refine searches.
- AND Combination:
MachineType = Espresso AND Error = true
- OR Combination:
Beverage = "Americano" OR Beverage = "Espresso"
- NOT Exclusion:
NOT Beverage = "Decaf"
- Grouping:
(Beverage = "Latte" OR Beverage = "Cappuccino") AND Temperature > 65
Special Queries
- Event Name Filter:
#event_simpleName = "CoffeeOrder"
- Specific IP and Event:
IPAddress = "192.168.1.5" AND #event_simpleName = "MaintenanceScheduled"
- Time Range:
@timestamp > "2024-02-01T00:00:00Z" AND @timestamp < "2024-02-28T23:59:59Z"
Negating Filter Functions
- Exclude Specific Subnet:
!cidr(ip, subnet="10.10.0.0/16")
- Exclude Specific Values:
!in(Beverage, values=["Decaf", "Instant"])
Remember, this cheat sheet is a quick reference guide. For more complex queries and functions, refer to the detailed LogScale documentation.