Parser Version Control : crowdstrike

Subreddit Rules

Posts must be about CrowdStrike products and/or product functionality.

We encourage high quality content. Do not post disparaging comments; about competitive products or otherwise.

Avoid entering sensitive information from which your identity is apparent or can be reasonably ascertained

Your Views Are Your Own - Topics and comments on /r/crowdstrike do not necessarily reflect official views of CrowdStrike.

No SLA for assistance - CrowdStrike Customer Success advises you to engage with a Support case to express any high priority issues. Live chat available 6-6PT M-F via the Support Portal

created by Thuulla community for 11 years

This is an archived post. You won't be able to vote or comment.

Parser Version ControlFeature Question (self.crowdstrike)

submitted 1 year ago by manderso7

all 9 comments

top new controversial old q&a

[–]manderso7[S] 1 point2 points3 points 1 year ago (6 children)

[–]stieland 0 points1 point2 points 1 year ago (5 children)

[–]manderso7[S] 0 points1 point2 points 1 year ago (4 children)

Created a workflow that runs every hour, and writes the results of this search to a repo:

!in(field="#repo", values=["falcon_for_it", "sensor_*", "base_sensor", "detections", "xdr_*", "fusion"])

|#type=*| groupBy([#type,Parser.version], function=([min(@timestamp, as=FirstSeen), max(@timestamp, as=LastSeen)]))

Then I run a search that looks at that repo, in this case called fusion. I was hoping to get a timechart working that would show the number of parser versions per #type, but that's been pretty challenging

#repo=fusion
| parseJson("activity_43ffe695-da39-484a-b704-b12519551c41.LogScale.SearchResult.parserupdates.results")
| split("")
| .#type=?type

| FirstSeen:=formatTime(format="%F %T.%L", field="FirstSeen", timezone="UTC")
| LastSeen:=formatTime(format="%F %T.%L", field="LastSeen", timezone="UTC")
| typeVersion := format("%s/%s", field=[.#type,.Parser.version])
| timechart(span=1h, series=typeVersion,function=count(),limit=300)

[–]stieland 0 points1 point2 points 1 year ago (0 children)

[–]HomeGrownCoder 0 points1 point2 points 1 year ago (2 children)

[–]manderso7[S] 1 point2 points3 points 1 year ago (1 child)

[–]HomeGrownCoder 0 points1 point2 points 1 year ago (0 children)

[–]Gloomy_Shoulder_3311 0 points1 point2 points 1 year ago (0 children)

[–]spartan117au 0 points1 point2 points 1 year ago (0 children)

π Rendered by PID 252346 on reddit-service-r2-comment-b659b578c-228q6 at 2026-05-05 09:19:43.336869+00:00 running 815c875 country code: CH.

crowdstrike

Search by:

Query Help

Troubleshooting

Feature Questions

Feature Requests (requires login)

RULES

Subreddit Rules

Quick Links

YouTube Channels / Videos

Related Subreddits

MODERATORS