Version:

Drilldown

You can refine your search query by clicking the content of the results (key-value pairs or raw log messages) after the search has been done. Clicking on any value in the result adds a filter component to original search query. You can combine any number of filters, thereby making complex drill-down actions. The filter components (key-value pairs or raw log messages) are highlighted in the results as you drill down deeper. If you want to undo the drill-down on any component, click it.

For example, if you want to view successful login events for the user rst@LogPoint.com from the IP: 192.168.2.20, click successful login in the action field and click the user rst@LogPoint.com. Finally, click IP: 192.168.2.20. The clicked value is added to the query and is displayed in the query bar.

../_images/LP_Search_Drilldown_Example.png

Drilldown Example

The example above is for the drill-down search conducted on the filesystem, the LogPoint, and the localhost respectively. Note that the filter components “device_name”=”localhost”, “collected_at”=”LogPoint”, and “col_type”=”filesystem” automatically appear in the search query.

You can also carry out a negative drill-down search in the same manner. However, in this case, you have to use the Shift key while selecting the filter components (key-value pair or raw log messages).

../_images/LP_Search_Drilldown_NegativeExample.png

Negative Drilldown Example

The screenshot above is for the negative drill-down conducted on the filesystem, i.e., the filter component filesystem is selected from the result’s content while pressing the Shift key. Note that the query -(“col_type”=”filesystem”) automatically appears in the search query. You can see that the result does not include the component filesystem.

You can also drill down on the result graphs, logs, and the normalized key-value pairs.

Actions in the Field-Value Pairs

Once you execute a search query, you can apply various actions to the key-value pairs displayed. Click the drop-down menu on the key-value pairs to view the actions.

Top 10 Fields

You can view the Top 10 Fields for the selected fields and values. If you want to view the results for the particular search field, click for this search, else, click for the whole database.

Time Trend for Fields

You can view the Time Trend for the selected fields. If you want to view the results for the particular search field, click for this search, else, click for the whole database.

Time Trend for Full Resultset

You can view the Time Trend for the full result-set. If you want to view the results for the particular result-set, click for this search, else, click for the whole database.

Exclude field

You can perform a negative drilldown of the specific field-values by clicking the Exclude fields link. For example, if you click Exclude from the drop-down menu of the result set, Value=read2, all the results containing the field-value “read2” are removed.

../_images/LP_Search_Drilldown_Actions_BeforeExclude.png

Before Excluding

../_images/LP_Search_Drilldown_Actions_AfterExclude.png

After Excluding

The example above describes the Exclude operation on the value read2.

Note

The query -(“Value”=”read2”) is automatically appended in the search query after clicking Exclude.

Explore in Search Template

You can drill-down any value in the search results directly into a search template. Clicking the Explore in Search Template option redirects you to the search template with the selected value filled in the corresponding field.

The Explore in Search Template option appears only for the search templates that contain the selected field in their respective Fields section.

../_images/LP_Search_Drilldown_Actions_ExploreST1.png

Explore in Search Template

Request for field

This option is applicable for the key-value pairs which are included under the Data Privacy Module. Clicking this option opens the Data Privacy Request panel from which you can make a request to view the decrypted values of the encrypted fields. After a request is accepted by a granting user, you can search for the specific field.

To view the decrypted key-value pairs, follow the steps given below:

  1. Go to Settings >> Configurations from the navigation bar and click Data Privacy Module.

  2. Click the Search icon for the granted field under the My Request tab.

  3. LogPoint redirects you to the Data Privacy Search from where you can view the decrypted values.

../_images/LP_Search_DfLR_Actions_DPG_1.png

Before requesting

../_images/LP_Search_DfLR_Actions_DPG_2.png

Request Drilldown

../_images/LP_Search_DfLR_Actions_DPG_3.png

Data Privacy Module Field Request Panel

../_images/LP_Search_DfLR_Actions_DPG_4.png

Granted Request

../_images/LP_Search_DfLR_Actions_DPG_5.png

Data Privacy Search Page

Add this field to interesting fields

You can select Add this field to interesting fields from the drop-down menu on the key-value pairs to add the required field in the Interesting Fields window. The fields added from here can be seen in the Add Fields panel of the Interesting Fields window.

Hide Fields

You can select Hide this field from the drop-down menu on the key-value pairs to hide the required field value(s). You can also hide the fields by going through the My Preferences >> Search >> Search Log Fields and entering the field name(s) in Hide these Fields text box. Refer to My Preferences for more details.

Recover Hidden Fields

  • Click the User drop-down menu at the top-right corner of the interface and select My Preferences.

  • Select Search.

  • Under Search Log Fields, deselect the hidden fields from the Hide these Fields text-box to unhide the fields.

Display maximum

Select a value from the drop-down menu to view the specified number of logs per page. The default value is 25.

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support