The Search Views option provides you with the interface that presents the top search views.
Go to Search from the navigation bar.
Accessing Search Views from the Search Interface¶
From the Search Views section at the bottom-right corner of the page, you can:
See all the search views: Select the All Search Views link at the bottom.
LogPoint redirects you to the Search Views page. It contains a list of all the recently created search views.
Search Views¶
See the search results for a single search view: Click the search view.
LogPoint redirects you the Search Views Interface. Refer to The Search Views Interface for more details.
Note
You can also filter your search by entering the desired keyword in the filter section.
You can access the Search Views Interface page in two different ways.
By clicking a particular search view from the Search >> Search Views panel.
By clicking a particular search view from the list of Search Views from Settings >> Knowledge Base from the navigation bar and Search Views.
The Search Views Interface is divided into three sections, the Query Bar, the Result Panel, and the Top-10 Panel.
The Query Bar along with the Repo selector and Time range appears at the top of Search Views Interface.
Search Views Interface¶
The Result Panel displays the details of the selected Search View.
Search Views Interface¶
The Top-10 Panel displays ten most frequently searched logs for a number of fields.
Top-10 Panel¶
Note
You can increase the width of the Top-10 panel by dragging the pointer towards the Result Panel. It gives you a comprehensive view of the Top-10 search results.
Top-10 Panel Expanded¶
Click Back to Search Views at the bottom-right corner to redirect to the Search Views List Page.
Go to Settings >> Knowledge Base from the navigation bar and click Search Views.
Search Views¶
Click Add to open the Add Search View panel.
Add Search View Panel¶
Provide a Name and a Description.
Select the fields to be used and click Add. These fields appear on the Search Views Interface.
Note
You can only add the Normalized Fields in a Search View.
You can re-order the fields using the arrow keys in the Actions column.
Select the fields to Show on Top 10 List.
Click Submit.
Go to Settings >> Knowledge Base from the navigation bar and click Search Views.
Click the Name of the view to edit.
Editing a Search View¶
Update the information.
Click Submit.
Go to Settings >> Knowledge Base from the navigation bar and click Search Views.
Click the Click to Share icon in the Actions column for the view.
Search Views¶
To share multiple Search Views, select the concerned views. Click the More drop-down menu and choose Share Selected With Other Users.
Search Views¶
To share all the Search Views, click the More drop-down menu and choose Share Selected With All Users.
Search Views¶
Note
Follow the same method to Unshare search views.
Go to Settings >> Knowledge Base from the navigation bar and click Search Views.
Click the Clone icon in the Actions column for the view.
Search Views¶
To clone multiple Search Views, select the concerned views. Click the More drop-down menu and choose Clone Selected.
Search Views¶
To clone all the Search Views, click the More drop-down menu and choose Clone All.
Search Views¶
Enter a new Name for the cloned Search View.
Check the Replace Existing? checkbox to replace an existing view with the same name.
Click Clone.
Go to Settings >> Knowledge Base from the navigation bar and click Search Views.
Click the Delete icon in the Actions column for the view.
Search Views¶
To delete multiple Search Views, select the concerned views. Click the More drop-down menu and choose Delete Selected.
Search Views¶
To delete all the Search Views, click the More drop-down menu and choose Delete All.
Search Views¶
A delete confirmation dialog box appears on the screen. Click Yes to proceed.
Note
Clone, Information, and Use are the only actions available for the Shared Search Views.
Go to Settings >> Knowledge Base from the navigation bar and click Search Views.
Click the Use icon in the Actions column of the concerned view.
Search Views¶
LogPoint redirects you to the Search Views Interface. Here, you can manage all the information of the selected Search View.
Search Views Interface¶
The Query Bar appears at the top of the Search Views Interface. By default, the query results in the selection of all the field components.
Search Views Interface¶
For example:
action=* col_type=* device_ip=* log_ts=* sig_id=*
Note
LogPoint suggests some system fields in an auto-suggest box if you type any letter(s) followed by the space bar.
Use only the simple queries. LogPoint uses query validation to restrict the usage of aggregators, rex, norm, and rename commands.
Use the Repo selector to specify the repos to extract the logs. By default, all the repos are selected.
Search Views Interface¶
Specify the Time range to fetch the logs. By default, Last 10 minutes is selected.
Search Views Interface¶
Limit Results to a specific number of logs per page. The default value is set to 25.
Search Views Interface¶
Click the search result in the Result Panel or the Top-10 Panel to perform drill-down. The selected data appends to the query and is visible in the Query Bar.
For example,
Before drill-down:
action=* col_type=* device_ip=* log_ts=* sig_id=* norm_id=*
Search Views Interface Before Drilldown¶
After drill-down on action=”reporting speed”:
action="reporting speed" action=* col_type=* device_ip=* log_ts=* sig_id=* norm_id=*
Search Views Interface After Drilldown¶
You can Negate the fields in the query to refine the search results from both the Top-10 Panel and the Result Panel. Press the command key (for Mac) or the Ctrl key (for Windows) and click the field component to carry out the negation.
For example,
Before negating:
action=* col_type=* device_ip=* log_ts=* sig_id=* norm_id=*
Before Negation¶
After negating on action=”denied”:
action= "denied" action=* col_type=* device_ip=* log_ts=* sig_id=* norm_id=*
After Negation¶
Note
You can administer the Search Views for the remote LogPoints from the Distributed LogPoint drop-down menu on the Header Bar inside the Settings menu.
In the Data Privacy Module enabled systems, users with the Can Request Access privilege can only view the values in the encrypted form. These encrypted values cannot be requested for decryption.