Use the default finder
An intuitive way to query is by using the four tag level lists of the default finder in the Finder tab. The four lists, from left to right, correspond to the four tag elements. These are technology, application, type, and subtype. When you select a tag level in the first box on the left, the lists in the other boxes will be filtered to display only the levels that the selected tag structures have.
Suppose, for example, you want to view the data table that collects the heartbeat events from the active relays. In this case, you could select, from left to right, syslog, relay, and conf. This will show the table of events with the syslog.relay.conf tag.
Once you select the final level of the tag, the query window will open displaying the contents of the selected data table.
Select the table columns before opening it
Tables with a large number of columns can be cumbersome to work with in the query window and often, many of the columns will not be relevant to the query you want to create. In these cases, you can select the columns that you want to show or hide in the query window, before you open the table.
To do this, select the Column Operations available in the query window to further customize the display of columns in your table.icon on the final level of the tag and choose Show / Hide Columns. This opens a window that lets you select the columns you want to show (checked) and the ones you want to hide (unchecked). Click Apply and the table opens in the query window showing only the columns you selected. You can use the