Viewing the data tables
In Devo, an event is a single collection of data, as is a record in a log file. All events have tags assigned to them to identify some key characteristics and to group them into virtual data tables in Devo. Each table collects the events in rows and a parser associated with the event tag is used to sort the event information into columns. The parser assigns data types (for example, string, int, and so on) to each column in a table.
In the Devo web application, go to Data Search → Finder to select and open a table for viewing. The screen that displays the table data contains the following elements:
The following sections correspond to the numbered areas of the image above:
This useful graph shows a count of the queried events over the period of time set in the From and To fields of the time range selector.
The data count represented in the histogram is plotted before the actual events arrive to the data table. To avoid overloading the browser's memory, not all the events in the data table are downloaded to the browser. Instead, Devo download events in interval blocks within the time range selected. This is important to understand, especially when carrying out certain operations. See the Get Server Counts and Autofilling options described in the table below.
The histogram is a dynamic graph and gives you the ability to:
- Hover the mouse over the histogram to show the count of events at a specific time.
- Click and drag the mouse across a segment of the histogram to display only the event count for that period and narrow the range of analysis.
- Click on the histogram to jump to events from that date/time in the data table. In this way, you can use the histogram to navigate the events in the table. If the events from the selected date/time have not yet been downloaded to the browser, this will download them. When this occurs, a blue band appears in the histogram indicating that events that are being downloaded to the browser. Alternatively, you can use the table scroll bar to download events to the data table.
The following table describes the settings above the histogram:
This determines the temporal granularity of the histogram. Auto is selected by default, which sets the granularity according to the time range specified using the From and To parameters. Use this setting to apply a different level of granularity.
This applies a logarithmic scale to the y-axis of the histogram instead of the default scale, which uses uniform intervals of units. This can be especially helpful when outlying data that causes significant spikes or dives, which distorts your ability to visualize the detail of the histogram.
This toggle appears after applying a filter to your data. When your data is filtered, the green line automatically adjusts to represent the filtered number of events. Activate this toggle to display a comparison between the count of filtered events (green line) and the full count of events (yellow line).
Get server counts
This button appears after applying a filter to your data. Select it to plot the real count of events in the histogram after applying a filter.
When you apply a filter, segments of the histogram line may appear as dotted lines, indicating that the counts are actually extrapolated values for those subintervals that have not been downloaded to the browser. Click this button to obtain the actual counts for the dotted segments. The line will change from dotted to continuous.
Note that this doesn’t mean the actual events are downloaded to the browser, just that the real event count is reflected in the histogram.
As explained previously, to avoid overloading the browser's memory, Devo doesn't download all the events automatically, and instead obtains subintervals of events within the selected time range. However, there are some cases when it is important to have all of the events downloaded. In these cases, the Autofilling setting is useful.
(2) Time range
These tools allow you to apply filters by time.
By default, the web interface shows data from the last 24 hours. To narrow your search, you can select a specific time range. Use extended periods to analyze long-term patterns like an advanced persistent threat.
- Set a new interval or time period, then click Apply Interval to update the data table. Click the Back button to return to the previous time setting.
- Click the spinning clock icon to suspend or reestablish the flow of real-time data. In some cases of extremely large volumes of data, real-time data flow will stop automatically and a warning message will be shown above the table. This is done to prevent the browser from crashing.
Users with the necessary permissions can determine if real-time data flow is active or inactive by default when users run queries. Go to Preferences → Account Preferences → Global to access this setting. For more information, see Preferences.
(3) Table toolbar
This toolbar offers a rich set of tools to work with the table data including grouping, aggregation, data download, and more. Hover over each icon to see its tooltip. For more details about these functions, see Table toolbar features.
(4) Applied search operations
Any operations you apply on the table will appear listed here. This way, you can easily consult the operations affecting the data, modify them, or undo operations.
(5), (6) Data column and data row
In the data table view, each row represents an event and each column represents a data value correctly recognized by Devo. If the data is not separated by several columns or is shown in the unknown tag structure of the search view, it is normally due to missing or incorrect tags.