Collections enable you to filter queries using values that have recently been recorded in another query. By way of example, a collection is like a filter that is used to display the events in query B that contain values that have recently appeared in query A.
Below, we describe how to work with collections:
Creating a collection
When you create a collection, you are creating a list of values that have appeared in a given table over a recent period of time. You will later use that list to filter the events in a different table. The list that the collection contains is dynamic - as the time period that you specify is "rolling", the collection will continually update itself so it includes only the values found recently.
Go to Data Search and open the query whose values you want the collector to monitor. In our example, query A.
- From the query toolbar, select Additional Tools → Table Operations → New Collection. The Add New Collection window appears.
- Click and drag the columns of the table whose values you want to feed the collection to the Columns box. You can choose one or several columns.
- Enter a Name and Description for the collector. We recommend that you list the columns that you've selected in the description.
- Finally, define the Expiration as the rolling time period to monitor the values of the columns selected. Click Save.
Once created, collections are processes that run continuously to maintain a list of the values detected in the query over the recent time period specified.
Go to Administration → Data Management and open the Subquery Collections tab. This displays a list of the collections processes and some of their details.
- Use the ellipsis menu to stop a collection temporarily, or to restart a stopped collection process. A green or red indicator in the status column tells you if a collection is currently running or not.
- Use the ellipsis menu to delete any collections that you no longer need.
- It is not possible to modify the definition of a collection. Instead, you should delete the collection, and create a new one that better suits your needs.
Using a collection to filter a table's events
The active collections are available in the query window as new filter operations.
- Go to Data Search and open the query whose values you want to filter using the collection. This would be query B in our example.
- From the toolbar, select Filter. In the Filter Data tab, use the Operation drop-down list and search for the collector you want to apply.
- The arguments required for a collector operation correspond to the columns specified in the collector. So, if the collector is only monitoring the values in one column, there will only be one argument required. In the example below, there are two arguments required. The argument values are the column names in the current query.
Click Filter Data. The current query is filtered to show only those events where values in one of the argument fields matches a corresponding value found in the collector.
Click the Negated button if you want to exclude, or filter out, the values that are found in the collector.