Working in the query window
Once you open a data table, you are redirected to the query window, where all the events corresponding to the tag you have selected appear arranged in rows and columns, forming the data table. This is where you can start to query your data, apply operations using the set of tools in the toolbar and customize the aspect of the data table, rearranging columns, filtering the data, etc.
The query window contains the following elements:
This useful graph shows a count of the queried events over the period of time set in the From and To fields of the time range selector.
The data count represented in the histogram is plotted before the actual events arrive to the data table. To avoid overloading the browser's memory, not all the events in the data table are downloaded to the browser. Instead, Devo download events in interval blocks within the time range selected. This is important to understand, especially when carrying out certain operations. See the Get Server Counts and Autofilling options described in the table below.
The histogram is a dynamic graph and gives you the ability to:
- Hover the mouse over the histogram to show the count of events at a specific time.
- Click and drag the mouse across a segment of the histogram to display only the event count for that period and narrow the range of analysis.
- Click on the histogram to jump to events from that date/time in the data table. In this way, you can use the histogram to navigate the events in the table. If the events from the selected date/time have not yet been downloaded to the browser, this will download them. When this occurs, a blue band appears in the histogram indicating those events that are being downloaded to the browser. Alternatively, you can use the table scroll bar to download events to the data table.
The following table describes the settings above the histogram:
This determines the temporal granularity of the histogram. Auto is selected by default, which sets the granularity according to the time range specified using the From and To parameters. Use this setting to apply a different level of granularity.
This applies a logarithmic scale to the y-axis of the histogram instead of the default scale, which uses uniform intervals of units. This can be especially helpful when outlying data that causes significant spikes or dives, which distorts your ability to visualize the detail of the histogram.
This toggle appears after applying a filter to your data. When your data is filtered, the green line automatically adjusts to represent the filtered number of events. Activate this toggle to display a comparison between the count of filtered events (green line) and the full count of events (yellow line).
Get server counts
This button appears after applying a filter to your data. Select it to plot the real count of events in the histogram after applying a filter.
When you apply a filter, segments of the histogram line may appear as dotted lines, indicating that the counts are actually extrapolated values for those subintervals that have not been downloaded to the browser. Click this button to obtain the actual counts for the dotted segments. The line will change from dotted to continuous.
Note that this doesn’t mean the actual events are downloaded to the browser, just that the real event count is reflected in the histogram.
As explained previously, to avoid overloading the browser's memory, Devo doesn't download all the events automatically, and instead obtains subintervals of events within the selected time range. However, there are some cases when it is important to have all of the events downloaded. In these cases, the Autofilling setting is useful.
The histogram appears embedded at the top of the query window by default. You can make it a standalone window or close it using the icons at the top right corner of the graph. After closing it, you can open it again selecting Additional Tools → Query Info → Toggle Chart in the query window toolbar.
Time range selector
These tools allow you to apply filters by time. By default, the web interface shows data from the last 24 hours. To narrow your search, you can select a specific time range. Use extended periods to analyze long-term patterns like an advanced persistent threat. You can perform the following actions:
Set a new time interval
Select the new interval in the From and To fields, then click Apply Interval to update the data table. Click the Back button to return to the previous time setting.
Activate or deactivate real-time data flow
Click the spinning clock icon to suspend or reestablish the flow of real-time data. In some cases of extremely large volumes of data, real-time data flow will stop automatically and a warning message will be shown above the table. This is done to prevent the browser from crashing.
Users with the necessary permissions can determine if real-time data flow is active or inactive by default when users run queries. Go to Preferences → Account Preferences → Global to access this setting. For more information, see Domain preferences.
Apply previously used time intervals
Use the Back button to apply previously selected time intervals in your query.
Additionally, the Time Interval History tool allows you to easily apply previously selected time periods in the current or other data tables, to facilitate the analysis of data over time. The results can be used in reports or to create dashboard data sources from different time intervals.
Select the required interval in the Available Time Intervals area. When there are multiple active queries, check boxes will be available to let you apply the interval to more than one query. The current query is selected by default.
Query window toolbar
This toolbar offers a rich set of tools to work with the table data including grouping, aggregation, data download, and more. Hover over each icon to see its tooltip. These are the default tools displayed in the toolbar:
|Time interval history||Apply time intervals previously set in any active queries. Learn more about this in the previous section.|
|Search column layout||Hide or show columns in the data table to work only with the necessary ones. Check out Hide and show columns to learn how to do it.|
|View selected events||Check information of specific events in the data table.|
|Column operations||Access a set of operations to edit and arrange the table columns. Learn more about these operations in the articles in Modifying the column layout.|
|Toggle query editor||Open a query editor where you can build or modify the current query using LINQ.|
|Toggle search tree||Display a tree map representing all the operations applied to the original data table. See the below section to learn more.|
|New alert definition||Define alerts to monitor active queries and receive notifications when certain conditions occur. Check the instructions in Configuring alerts.|
|Aggregation||Perform aggregation operations on table data that has been already grouped by time interval.|
|Group||Group data to get all the different row value combinations of the grouped columns.|
|OR filter||You can use an OR filter to get records that have any of the values for a given property.|
|Filter||Filter data to retrieve certain values or exclude them from the table.|
|Create column||Create columns in your data tables based on other table data.|
|Download||Download your query in different formats. Go to Download a query for further information.|
|Additional tools||Access a set of additional operations that do not appear in the default toolbar.|
|Close search||Close the current query.|
You can customize the default toolbar configuration to provide quick access to the tools that you use most frequently. You can perform the following actions to customize your toolbar as needed.
Add a new tool to the toolbar
Select Additional tools and navigate to the required tool in the list. Point its icon and when the cursor becomes a move pointer, drag the tool to the table toolbar. The icon will appear as the first tool in the toolbar.
Change the order of the tools
Select the tool you want to move and drag it to the new position in the toolbar.
Remove a tool from the toolbar
To remove an icon from the table toolbar, select, hold, and move it to the dynamic trash bin that appears.
Save and restore the toolbar configuration
After adding the tools you use the most to the toolbar and move them as required, select Additional tools → Panel → Save Panel. The custom toolbar will appear the next time you access the query window, no matter the data table you open. Select Additional tools → Panel → Reset Panel to restore the original toolbar configuration.
Applied search operations
Any operations you apply on the table will appear listed above the data table. This way, you can easily consult the operations affecting the data, modify them, or undo operations. You can go back to any of the operations applied and start a new path of actions from there.
Select the Toggle Search Tree tool to display a visual record of all the modifications applied to the original data table. The actions and their sequences are displayed in a tree. Select any point in the tree to display the query results at that point in the sequence of modifications. If you select an operation in a branch different from the current one, that path will be shown in the applied operations bar.
Each tab in the bar/node in the tree appears in a color that denotes the type of action taken. The color code is described here:
In the data table, each row represents an event and each column represents a data value correctly recognized by Devo. If the data is not separated by several columns or is shown in the unknown tag structure of the search view, it is normally due to missing or incorrect tags. Learn more about tags here.