Log Search Glossary

New Log Search is available for Open Preview

We are rolling out a new Log Search experience to customers with an open preview starting January 31st, 2023. All Log Search documentation impacted by the redesign will be updated incrementally to support this revitalized user experience. You can still use original Log Search during this open preview. Both the original and New Log Search will exist in parallel until development is complete. For now, review the topic on new Log Search and navigate to the Log Search Open Preview page in InsightIDR to become familiar with the new layout. Check back soon for fully updated documentation.

Familiarize yourself with the terms that are used in the Log Search documentation and UI.

Scope of this Glossary

The definitions provided in this topic are relevant exclusively to Log Search in InsightIDR. However, the same or similar terms may be used in other product areas and might have different meanings.

Quickly navigate through the glossary by clicking the first letter of the term that you want to learn about.




See Insight Agent.


A notification that informs you of notable events and suspicious behavior captured by InsightIDR. InsightIDR has built-in alerts, which are generated by UBA or ABA detection rules. However, you can also create custom alerts, which can be one of three types: Inactivity Detection Alerts, Pattern Detection Alerts, and Change Detection Alerts. For more information, see Create and Manage Custom Alerts.

application programming interface (API)

A set of programming code that allows data transmission between one software product and another. For example, you can use the Log Search API to bulk query log sets, manage saved queries, and retrieve contextual log entries.


A single device on a network that can be identified by its IP address. In the Web interface and API, an asset may also be referred to as a device.


The process of mapping user accounts (for example, from Active Directory) to the endpoints where users log in. This makes it easier for analysts to investigate alerts by searching for the user who is involved, rather than by searching for an IP address or a host name.



Rapid7 software that either polls data or receives data from event sources and makes it available for InsightIDR analysis. An event source represents a single device that sends logs to the Collector. By default, the Collector filters logs to cut down on duplicate or unnecessary data. The Collector sends the log data to the Insight Cloud for analysis.


entry inspector

A feature on the Entries tab, which allows you to view more details about a single log entry and run queries based on that entry. View the Entry Inspector documentation.


Events provide insight about what is happening in your environment, such as user actions, system events, or errors. An event is typically recorded as a log entry—along with other events of the same type—in a log. Logs enter InsightIDR from one or more configured event sources.

event source

Informational sources that you can connect to InsightIDR to provide visibility across your environment. Event sources can be networks, servers, firewalls, or anti-virus software. For example, if you have three firewalls in your environment, you will have one event source for each firewall.

event type

A data structure that defines the data contained in an event. When event data comes into the InsightIDR system as logs, (such as from the Collector, event sources, sensors, or Insight Agent) the application classes that event data as a particular type. For example, Firewall Activity.


Insight Agent

An Insight Agent is lightweight software installed on an endpoint to monitor the endpoint and report security-relevant events. The Insight Agent monitors specific event codes and collects endpoint telemetry data to provide an enhanced understanding of your endpoints' activity and drive quicker response time to detections. The agent collects data only from the asset on which it is installed.

IP address

An Internet Protocol (IP) address is the unique number that is assigned to either a physical or virtual machine.



In Log Search, you can create custom alerts that apply labels (also known as tags) to log entries to give a visual indication of the type of information they contain. For example, a warning label can be applied to log entries that contain one or more specific values that users should be warned about.


Log Entry Query Language (LEQL) is a powerful search language that allows you to construct queries to extract the hidden data in your logs.


A collection of log entries that contain timestamped data about events. In InsightIDR, logs are typically named based on the event source. For example, Firewall: New York Office.

log entry

The data that is collected about an individual event, which is organized into keys and values. One log can contain hundreds or thousands of log entries.

log key

A Universally Unique Identifier (UUID) that is used to identify and manage a log in the UI and API, such as for setting its name.

log set

A log set is a collection of multiple logs. In InsightIDR, a log set is defined (by default) by the type of event within the log stream, such as Firewall, DNS, Active Directory, and other event types. You can optionally create custom log sets in Data Collection or by using the API.

log sources

The logs and log sets that act as the source of all of the data in Log Search.

log token

A Universally Unique Identifier (UUID) that is used to identify a log when sending data to that log in the Log Search platform service.



Also referred to as a field, the key is a constant that defines the data in your logs. For example, the key could be geoip_country_name and a value that pertains to that category might be, United States. When logs are presented in the Table view in Log Search, the key names in the log become the column headings.

key-value pair

You can search for data in your logs by entering a combination of a key and any corresponding value. This is known as a key-value pair. For example, geoip_country_name = United States. Note, that key-value searches support various operators, such as =, !=, IN, CONTAINS. The operators that are supported depend on the type of key. LEQL supports strings, numbers, IP addresses (CIDR), lists, and regular expressions.

A keyword search allows you to find a string in any log, regardless of its format. Keyword searches are case-sensitive by default and will match a full string until it is delimited by a non-letter character.



InsightIDR supports both logical and comparison operators, which allow you to create more complex searches. Logical operators include AND, OR, and NOT. Comparison operators include =, !=, IN, CONTAINS.


parsed data

Data parsing is the process of taking data in one format and transforming it to another format. See also, unparsed data.



A precise request to retrieve information from within database and information systems. In Log Search, you type a query into the search bar to retrieve data from log entries.


regular expression

A regular expression (Regex) is a short-form query syntax that can be used along with LEQL to build queries in Log Search. Regular expressions use special characters as operators to allow you to search for more advanced patterns.

raw data

Unmodified or unparsed data that is collected from a non-standard event source, such as a custom script. By default, raw data is stored in the Raw Log log set.



A model or structure that organizes data into a specific format, so that the data can be read by the application.

search term

A simple text or numerical value that can be used to search log data.

search pattern

The partial or full contents of the where statement in a query. The search pattern is what you use to filter your data.


unparsed data

Data that is being collected by event sources is often parsed, but it can also enter the application as unparsed data. The Unparsed Data log set contains events that are collected from standard event sources that were not parsed as other types of activity. This behavior is enabled by selecting the Send Unparsed Data option when you configure an event source. You can view parsing information by going to the Event Source Health screen in InsightIDR. See also, parsed data.


One of the preset roles in InsightIDR. It can also be defined in log data to identify the individual who was involved in log entries. You can investigate users in the Log Search screen or in the User Details screen.



Logs contain both keys, which are like fields, and values, which are like entries in a field. A value is the identifying piece of data, pertaining to a key, that you can search by. For example, if the key is geoip_country_name, one of the possible values that pertains to that key might be United States.

From the Visualizations tab, you can display log data and query results in interactive graphs and charts. You can click on the charts to narrow your search according to numerical or time-based parameters. View the Visual Search documentation.