In the Investigation > Navigate view or Events view, you can create a query rather than clicking through the meta keys and values to drill down into the meta data. The dialogs for creating a query offer syntax help with drop-down lists of applicable meta keys and operators. Related procedures are available in Query Data in Navigate View.
To access this dialog:
- In the Security Analytics menu, select Investigation > Navigate or Events. Both views provide access to the Query dialog.
The Investigate dialog is displayed.
- Select a service, then click Navigate.
- In the toolbar, select Query.
The Query dialog is displayed.
The Query dialog has three views:
In the Simple view, you can create a query using the options displayed in the dialog. In the Advanced view, you can create a query without guidance. In the Recent view, you can select a query from a drop-down list of recent queries.
The following table describes the buttons at the bottom of the Query dialog.
|Apply||Applies the new query.|
|Cancel||Closes the dialog without applying changes.|
|Reset||Resets all fields.|
The following table describes the features of the Simple view.
|Select Meta||Displays a drop-down list of meta groups.|
|Operator||Displays a drop-down list of operators (=, !=, exists, !exists)|
|Value||Allows you to enter a value to complete the query.|
|Network||Limits the query to packets if Log is not selected.|
|Log||Limits the query to logs if Network is not selected.|
The following table describes the features of the Advanced view.
|Query box||Allows you to enter a query. When you begin typing, a drop-down list of available meta keys for the service is displayed, then a drop-down of operators is displayed as you type. If the expression currently entered in the query box is invalid, a warning appears near the box. When the query is valid, the warning is removed.|
The following table describes the features of the Recent view.
|Query list||Allows you to select a query from a list of recent queries. Double-clicking a query will automatically apply it.|