Searching data / Accessing data tables / Run a global search

Run a global search

What permissions do I need to perform a global search?

In order to access this area to perform a global search (Data Search → Explore Your Data → Global Search tab), you need to have a role with management permissions on Global Searches (Administration → Roles → Permissions tab).

If you do not have this permission, you will not be able to see the tab and hence perform any global search.

Be aware that this permission requires to have management permissions on Finders to be activated.

Domain feature

Note that this feature is only enabled in certain domains by default so even though you have the required permissions, you might still be unable to see it. If you need to use it and is not enabled in your domain, contact the Devo support team.

Using the global search

Users with the necessary permissions can run a global search in Devo to find events containing specific values across all the data tables in their current domain.

Go to Data search and select the Global search tab.
Click to open the time menu and select the time period over which you want to search (see the section below for more info).
Select the tables that you wish to search. Note that, by default, all tables are selected, and switching off one of them will switch off the Select all tables option.
Enter the expression you want to search for. You can use standard AND and OR operators, use an asterisk ( * ) as a wildcard, or quotation marks ( "" ) to indicate exact expressions. For example: user1@domain.comORuser2@domain.comAND"illegal access"AND*apache
Hit the ENTER key to run the search.

Activity shown

In order to avoid long loading times, note that the global search only returns events from data tables that had some activity for the last 7 days.

Setting time ranges for a global search

When setting time ranges, it is important to consider different aspects related to the type of time range specified and the method chosen to do it. You can use the interface to set absolute, relative, or snap-to dates:

Absolute: a specific interval with fixed start and end dates to see data from a specific time period.
Relative: a period of time relative to the current date (last 5 minutes, last day, etc.) to see data progression up to the present.
Snap to: a period of time that goes back to the starting point of the selected time frame to see data without unrepresentative data samples resulting from analyzing incomplete periods. For example, if it is 10:53:17 on a Tuesday:

Snap to the day: you will see data beginning at 00:00 on that same Tuesday.
Snap to the hour: you will see data beginning at 10:00.
Snap to the minute: you will see data beginning at 10:53:00.

You can set a time range using the interface or manually introduce time expressions. Select the corresponding tab below to see the desired method.

You can set a time interval following the steps described in the picture below.

You can also introduce time ranges manually using date language expressions, which gives you more flexibility and precision when searching your data. Simply click on the date field and write the desired time expression or edit the existing one. The field turns red and an explanatory message appears until a valid date is entered. Click Apply when you finish. When the and the expressions will be translated into the corresponding dates.

Invalid expressions

Your from date cannot be after your to date and your to date cannot be in the future.

You can use a mix of both absolute and date language expressions in any given time range (for example, the to date can be relative and the from date absolute, and vice versa). For date language expressions, the current moment "now()" is used as the reference point.

Click here to see the operators...

You can establish absolute dates in the required format:

Operator	Action	Example
yyyy-MM-dd hh:mm:ss	Establishes the specified absolute date	2021-06-30 15:35:23

With date language expressions, use a series of mathematical operations to move away from the current time which is used as the reference point. You can use multiple operators at once and the execution order is from left to right:

Operator	Action	Example
Snap to (@) or \|<	Rounds the date to the beginning of a time unit. Note that this operator only works with 1m, 1d, 1h, 1w, 1W, 1M and 1y.	now() @ 1m or now() \|< 1m
Arithmetics (+/-)	Applies an offset to the date (date + offset or date - offset)	now() - 3h
Replace (^)	Replaces part of the date by a time unit (date ^ time_unit)	now() ^ 6d
Backward & forward (>>/<<)	Shifts the date to the next/past time unit (date >> time_unit or date << time_unit)	now() << 11M

Click here to see examples on time expressions...

Let's suppose the current time (which we refer to as "now()") is Sunday, 05 February 2017, 13:37:05. The table below shows the resulting time when different expressions are applied. Note that this isn't an exhaustive list:

Time expression	Description	Resulting time
now() - 60m	60 minutes ago	Sunday, 05 February 2017, 12:37:05
now() @ 1h	Now (rounded to the beginning of the hour)	Sunday, 05 February 2017, 13:00:00
now() - 24h	24 hours ago	Saturday, 04 February 2017, 13:37:05
(now() - 1d) @ 1d	Yesterday (rounded to the beginning of the day)	Saturday, 04 February 2017, 00:00:00
(now() - 2d) @ 1d	2 days ago (rounded to the beginning of the day)	Friday, 03 February 2017, 00:00:00
(now() - 2d) @ 1m	2 days ago (rounded to the beginning of the minute)	Friday, 03 February 2017, 13:37:00
((now() - 2d) @ 1d) - 2h	2 days ago (rounded to the beginning of the day minus 2 hours)	Thursday, 02 February 2017, 22:00:00
now() @ 1w	Locale week	Sunday, 05 February 2017, 00:00:00
now() @ 1W	ISO week	Monday, 30 January 2017, 00:00:00
now() ^ 6d	Replace the day with 6	Monday, 06 February 2017, 13:37:05
now() ^ 2018y3M6d15h30m20s	Replaces the year with 2018 Replaces the month with 3 Replaces the day with 6 Replaces the hour with 15 Replaces the minutes with 30 Replaces the seconds with 20	Tuesday, 06 March 2018, 15:30:20
now() >> 2M	Forward to next second month	Monday, 05 February 2018, 13:37:05
now() << 2M	Backward to previous second month	Friday, 05 February 2016, 13:37:05
now() >> 2M6d15h20m10s	Forward to next second month, sixth day, fifteenth hour, twentieth minute and 10 seconds	Tuesday, 06 February 2018, 15:20:10
now() << 1h/1d	Goes back to the first hour of the current day. Minutes and seconds don't change.	Sunday, 05 February 2017, 01:37:05

Query performed by a global search

When you perform a global search, you will access the all.data table filtered by the expression you searched for. The default operation used is Contains tokens (toktains). You will see the operation performed under the text box while you enter the expression to look for. This would be the resulting query:

from all.data
where weaktoktains(message, "user@devo.com")

Case sensitive operation

Note that this operation is case sensitive. To ignore case, access your user or domain settings in the Preferences area and choose Case insensitive in the Default case sensitivity in searches dropdown. In this case, the operation would be Contains tokens - case insensitive (weaktoktains).

Table columns in a global search

You can find the following columns with the following information in the table:

eventdate	The date and time in which Devo received the event.
technology	The first and highest tag level. It indicates the type of technology from which the data comes.
brand	The second tag level. It indicates the vendor of the aforementioned technology.
phylum	The third tag level and the first optional, also known as type. It describes and categorizes the data source inside the company.
family	The fourth tag level and the second optional, also known as subtype 1. It further describes and categorizes the data source in case subdivisions are necessary.
genus	The fifth tag level and the third optional, also known as subtype 2. If further describes and categorizes the data source in case more subdivisions are necessary.
species	The sixth and lowest tag level and the fourth optional, also known as subtype 3. It further describes and categorizes the data source in case even more subdivisions are necessary.
tables	The tables in which the token appears.
hostName	The name of the machine from which the event originated.
hostIp	The IP address of the machine from which the event originated.
message	The data received in the event.

Be aware that sometimes the tags from the columns do not coincide with the tables in which the token appears. This is because those tables extract information and metadata from the ones in which they actually appear.

Global search result

In the capture below, we have entered the term info to check the events containing that word in all the tables in our domain. You can filter the table so that only those events contained in specific tables are shown. To do that, you can use the Any name matches (anymatches) operation.

Download as PDF