Build a query in the search window

The search window toolbar includes quick access to all these groups of operations for data querying. 

Operations over columns window

The Operations Over Columns window opens when you select one of the operations above mentioned. This is where you define the required function and select the arguments needed for your query.

• The Create Column and Aggregate Function tabs contain the same fields. Both types of operations create a new column to contain the results of the selected operation performed on the selected argument(s), or columns. For example, the capture below shows an aggregation that will add a new column called HTTPrequests and will contain the count of grouped values in the user column.
  
  

  Note that you must group your data before performing an aggregation operation, so the Aggregate function tab will not be visible if your data is not grouped.

  The Create Column tab includes buttons to filter the list of operations according to their case sensitivity. Some operations have a case sensitive and case insensitive version, so you can use these buttons to show only the version you need.

  

• The Filter Data and Or tabs contain different fields and options because a filter doesn't add a column; but rather the results of the selected operation performed on the selected argument(s) will be the inclusion or exclusion of rows from the query data. For example, the capture below shows a filter that will exclude (negated) records that contain a value in the countMethod column that is less than or equal to 150. 
  
  
  
  Just like the Create column tab, the Filter data tab includes buttons to show only case insensitive or case insensitivity versions of those operations that have both options.
  
  
• The Group by tab contains a selector where you can choose the time period by which you want to group your data. Furthermore, you can also select No temporal if you don't want to group by time. In the capture below we are grouping the data in the uri and method columns every 15 minutes.
  
  

In most of the tabs, you need to select an Operation from the drop-down list, then click New Argument to activate the field where you identify the necessary arguments. These two fields are interdependent. That is to say, the system will automatically validate or reject certain arguments based on the operation you have selected. Similarly, the system will identify valid operations in green and invalid operations in orange based on any arguments you have selected. For example, the capture below shows that for the selected argument eventdate, the operations that can be performed on that type of field are in green, while the invalid operations are shown in orange.

Each operation requires a specific number or type of argument(s). In some cases, you can also enter free text as an argument selecting this icon .

For more information about an operation's requirements, click the info icon next to the Operation field as shown below.

This operation has only one format, but some others accept different combinations, which are always indicated in the information section (e.g. the Rounding (round) operation has two different formats: round(arg_1) → result and round(arg_1, arg_2) → result). You can also check the number of arguments needed (in this case two) and the required format of the data you link to each argument (string, integer, float...).

Hints

• If you have too many or insufficient arguments, the system will automatically send you a warning message.

• If you haven't chosen the proper arguments, the system will automatically notify you.
  
  

Filter data 

Apply filters to table data to isolate or exclude specified field values. The results are returned immediately and displayed in chronological order and at the same time. The timeline is updated to match the query.

1. Select the  icon in the query window toolbar. The Operations Over Columns window appears with the Filter data option selected.
2. Choose the required filter type in the Operation drop-down list.
3. Select the arguments of the filter. Depending on the filter type selected, you will be prompted to select a set of specific arguments. 
   You can select columns or also enter free text clicking the  icon, as is sometimes required for an operation. For example, you might filter for URLs that contain the string bing. Then choose normal to include the filtered events, or select negated to exclude the filtered events.
4. Click Filter data when you're done. The data table will only show those events that meet the conditions of the filter applied.

Alternatively, you can create a filter in one of the following ways:

• If you select a cell from the data table and press ENTER, the Operations over columns window will be open in the Filter data tab, and the Equal (eq, =) operation selected. The cell selected and the column it belongs to will be automatically added as arguments of the filter.

• Select the arrow icon that appears when hovering over a column header to see the list of distinct values in that column, then click a value name. The Operations over columns window will be open in the Filter data tab, and the Equal (eq, =) operation selected. The column and value selected will be automatically added as arguments of the filter.

  

Filter column data using the OR selector 

You can also filter the data using the OR selector, allowing you to include specific values from one or several columns to define a filter that displays events that meet x OR y conditions.

1. Select the  icon in the query window toolbar and the Operations Over Columns window appears with the OR option selected.
2. Hover over a column header and a down-arrow icon appears. Select it to open the top 10 column menu. Select the check box of any value from this list. Now select at least one more value from the list to add it to the OR filter. You can also select column values from other columns.
   
   
   
3. Select the operators that define the filter you wish to create and select Apply. In this example, we wanted to look at the session events that had a status code of either OK (200) or Bad request (400).
   
   
   

You can also apply an OR filter directly in the top 10 values list. The Operations Over Columns window will appear once you select the first value.

Group data 

Events in a data table can easily be grouped to facilitate analysis. The result of grouping is a data table presenting all the different row value combinations of the grouped columns. Grouping is also required in order to subsequently apply aggregation operations on the data.

1. Select the  icon in the query window toolbar and the Operations Over Columns window appears with the Group By option selected. 
2. Choose the time period you want to use to group the events and the arguments you want to use to define the groups.
3. Select Group by. The result will be a row for each unique combination of arguments and time period. 

After grouping the data, you can continue applying groups as many times as necessary. 

There are two different types of grouping:

• No time-based - Select No time-based grouping at the bottom of the Every field to get all the possible combinations of the columns added as arguments. In the following example, we have grouped the data using the Server and OperatingSystem columns as arguments to get all the possible combinations of operating systems and servers.
  
  
  
  
• Temporal - You can include a time period when you group data in order to facilitate data analysis. Select the period you want to group by in the Every field. Note that the more columns you add as arguments in a temporal grouping, the less information you will extract, since the result will look more and more like the original table. This lets you see the different combinations of operating systems and IPs every 15 minutes.

In Devo, groupings use two different time periods to group the data. After grouping the data, you will see two different tabs in the applied search operations bar, each one indicating one of the grouping period types:

• Server grouping period - The first tab is the grouping period asked to the server. When you select a large period for your grouping, the server is requested to download a smaller interval, and is then recalculated to show the period you chose. 
• Client grouping period - The second tab is the grouping period used by your browser and is the actual period you indicated in the grouping. Modifying this period does not request data to the server again, but only recalculates the groups locally. 

For example, if you group data by three hours, Devo automatically sets the server grouping period to 30 minutes. Then, data is recalculated and grouped every three hours, which is the period you indicated in the query window.

To edit the period of a grouping, you can either click the pencil icon in the second tab of the grouping or select Additional tools → Edit Client Period.

Aggregate data 

Aggregations are operations that can be performed on table data that has already been grouped by a time interval. Aggregate functions perform a calculation on a set of values and return a single value. Operations include counting records in a group, identifying the minimum or maximum value in a group, or calculating the sum of field values in a group. When you create an aggregation, a new column appears in the table displaying the results of the operation.

Having already grouped your table data by a selected time interval, follow these steps to aggregate the grouped values:

1. Select the  icon from the query window toolbar. The Operations Over Columns window appears with the Aggregate function option selected. 
2. The Column Name is calculated automatically based on the aggregation and arguments you choose. However, you can edit this value if you prefer. Select the Aggregation drop-down list to select the type of aggregation you will perform on the selected argument. To get more information about an aggregation type, click the info icon. Click New Argument to select the arguments on which you want to perform the aggregation.
3. When you're done, select Aggregate function to add the column containing the aggregated values to the table.

Create columns 

You can create new columns in your data tables based on other data already present. For example, apply a geolocation operation to an existing IP address column to create a new column that identifies the country. Devo comes with predefined standard operations to help you create new columns but you can also create custom operations, based on lookup tables, suited to your organization's particular information. See Data enrichment for information about creating custom lookup tables in Devo.  

1. Select the  icon in the query window toolbar and the Operations Over Columns window appears with the Create column option selected.

2. Enter a Column Name and choose the required operation type in the Operation drop-down list. You can filter the list of available operations using the buttons next to the drop-down:

   Standard	Shows only the predefined operations in Devo.
   Custom	Shows only the custom operations based on lookup tables.
   All	Shows all the available operations.

   Note that if you have grouped or aggregated your data, you will only have access to standard operations, and the buttons will not be visible.

3. Select the arguments for the operation. Depending on the operation type selected, you will be prompted to select a set of specific arguments. 
   You can select columns or also enter free text clicking the  icon, as is sometimes required for an operation. For example, you might want to create a column that displays only those transfer times greater than 200 seconds.
4. Click Create column when you're done. The new column will display the results of the operation defined.