Key concepts

Key LogScale concepts

Understanding some key concepts of Logs, powered by CrowdStrike can help accelerate your ability to effectively parse, manage, and query your log data. You can access most aspects of the Logs feature from within the Chronosphere app. To access administrative features of the full CrowdStrike® Falcon LogScale™, such as managing parsers, packages, and repository settings, Chronosphere opens LogScale in a new tab in your browser.

When getting started with Logs, Chronosphere Support creates a LogScale organization (opens in a new tab) for you and your teams. Within an organization, one or more users act as the organization owner. These users have full access to all available actions within the organization.

Each organization has a default repository (opens in a new tab), which is a collection of data with associated storage. Administrators in your company can create repositories as needed. Typically, each project has its own physical repository that includes users, parsers, saved queries, and dashboards.

Although optional, you can create views (opens in a new tab) to group specific events from one or more repositories. Views don’t contain any data, but provide the ability to look across multiple repositories. You can create views to limit access to repository data by some users. Administrators can grant access to multiple repositories from a single view.

As part of repositories, administrative users can create packages (opens in a new tab) to download parsers and queries to upload into a new repository. This capability lets you bundle repository assets and distribute them across one or more repositories, instead of recreating each asset.

When sending logs to LogScale, you must parse the data before storing it in a repository. LogScale requires you to select an existing parser (opens in a new tab) or create a custom parser so that it knows how to create columns from your raw log data. Parsing ensures faster queries because LogScale uses a schema-on-read approach. You can select an existing built-in parser, duplicate and modify an existing parser, or add a parser from the LogScale Marketplace. Because parsers are unique to each repository, if you have multiple repositories you must copy the parsers you want to use to each of them.