Tips and Tricks for Building Queries

Quickly understand the components of LEQL to efficiently search your log data.

Order of operations

LEQL queries must be formatted in a specific order to generate the correct results.

After choosing the log sets you want to query, you can then select log entries to narrow your search, break log entries into sets to identify groups, and perform calculations to quantitatively understand your data.

Log Search Order of Operations

Select log entries

Begin writing a query by narrowing your search with a smaller selection of log entries. Start a query with a where() clause to look for log events.

LEQL essentials

CharactersDescriptionExample
where( )Returns log events where the word "powershell" is present, case sensitive.where(powershell)
" " Returns log events where the string "powershell.exe" is present, case sensitive, ignoring the period as a special character.where("powershell.exe")
/ \Returns log events where the string "password" is present with the quantifier, "{2,5}", stipulating the preceding character, "s", occurred a minimum of 2 times and a maximum of 5 times; 'password', 'passsword', 'passssword', or 'passsssword'.where(/pass{2,5}word/)
{ }Returns log events where the character "w" occurs three consecutive times.where(/w{3}/)
[ ]Returns log events where the characters "1", "2", and "3" are present in the event_code key.where(event_code IN ["1", "2", "3"])
.Returns logs events where the event-code key equals "467" with the character following "467" as a wildcard: "4673", "4674", "4675", and so on.where(event_code=/467./)
/.*text.*/Returns log events where the word "password" is present, regardless of what proceeds or follows the word if the word were to appear in a string.where(/.*password.*/)

Logical operators

SyntaxDescriptionExample
ANDReturns log events that match both criteria.expr1 AND expr2
ORReturns log events that match one or both criteria.expr1 OR expr2
NOTReturns log events that match expr1 but not expr2.expr1 NOT expr2

Comparison operators

SyntaxDescriptionExample
=Returns log events where the key equals a specific value. You can input a numeric or string value.KeyA=3
!==Returns log events where the key values are not the same. You can input strings or numeric values.KeyA!==KeyB
==Returns log events where the key values are the same. Use this operator to compare keys. You can compare strings or numeric values.KeyA==KeyB
< >Returns log events that are less than or greater than the specified value. You can input a numeric value or key.KeyA<KeyB or KeyA>KeyB
<= >=Returns log events that are less than or equal to, or greater than or equal to the specified value. You can input a numeric value or a key.KeyA<=KeyB or KeyA<=3 or KeyA>=KeyB or KeyA>=3

Learn more about comparison operators.

Regex

SyntaxDescriptionExample
/Returns log events where "kurt cobain" is present using regex; the "/" character must be used to begin any regex query.where(/kurt cobain/).
\Returns log events where a "." is a part of the value, not a regex single character wildcard.where(user=/jennifer\.lopez/)
.Returns log events where the string "202" is followed by any single character wildcard.where(year=/202./)
{ }Returns log events where the key is outgoing_bytes and the value begins with "5" and "0" repeated 9 times: "50000000000".where(outgoing_bytes=/50{9}/)
[ ]Returns log events where the key is asset and the value can range from "acme01" to "acme09".where(asset=/acme0[1-9]/)
?Returns log events where the character closest to the '?' is optionally present: "passwords" or "password".where(/passwords?/)

Learn more about regex.

Variables

SyntaxDescriptionExample
${ }Opens a previously stored single-value LEQL variable that can be referenced using the specified keys.${single-value variable}
[${ }]Opens a previously stored list-value LEQL variable that can be referenced using the specified keys.[${list-value variable}]

Learn more about variables.

Break log entries into sets

Now that you've narrowed your search, you can separate your log data into even smaller categories with clauses.

Clauses

SyntaxDescriptionExample
groupby()Returns logs where users have failed authentications, grouped by user.where(result ISTARTS-WITH "failed") groupby(user)
having()Returns logs where users have failed authentications, grouped by users that have 5 or more failed authentications.where(result ISTARTS-WITH "failed") groupby(user) having(count>=5)
sort()Returns logs where users have failed authentications, grouped by user, and sorted from highest to lowest number of failed authentications.where(result ISTARTS-WITH "failed") groupby(user)sort(dsc)
limit()Returns logs where users have failed authentications, grouped by user, but only showing 10 results.where(result ISTARTS-WITH "failed") groupby(user) limit(10)

The sort() clause must precede the limit() clause and immediately follow the groupby() clause when writing a query.

Learn more about groupby, having, sort, and limit.

Perform a calculation

Finally, you can leverage LEQL functions to perform calculations from the query bar.

SyntaxDescriptionExample
calculate(count)Returns log events where the word "powershell" is present, grouped by the user, and the number of occurrences for each group has been calculated.where(powershell) groupby(user) calculate(count)

Learn more about calculations.