on Sep 18, 2017Column groups allow you to format the events list to include only the relevant meta keys in the Events view and Legacy Events view (see Use Columns and Column Groups in the Events List). When the events list in Investigate is populated with events, each column lists the values returned for a meta key. Changing the meta keys displayed in the events list is a useful method of narrowing the focus of your investigation. For example, the default column group includes columns for Collection Time, Type, Theme, Size, and Summary. These are just the basic information, not specialized in any way. The RSA Email Analysis list has only that contain information useful when investigating email.
The column group definition includes the meta keys to use as column titles, the position of the column in the list, and the default width of the column. You can add, delete, import, export, and edit column groups. At fresh installation, built-in column groups are available. The built-in column groups are prefixed with RSA and can be duplicated but cannot be edited or deleted. You can also create custom column groups.
- The Create Column Group dialog is for the 11.4 and later Events view. To access this dialog, select Column Group > New Column Group in the Events view toolbar.
- The Column Group Details dialog is for the 11.4 and later Events view. To access this dialog, select Column Group in the Events view toolbar, then click the edit icon (
) next to a custom column group name.
- The Manage Column Groups dialog is for the Legacy Events view (Version 11.4) , and the Events view (Version 11.4 and earlier). The Manage Column Groups dialog has these features that are not yet available in the Create Column Group dialog: set column width, import, and export. To access this dialog, go to Investigate > Legacy Events and in the View drop-down list select Manage Column Groups. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group.
After column groups are defined, you can use them in other Investigate views. In the Navigate view, Query Profiles allow you to select a column group to use when the profile is applied. In the Events view and the Legacy Events view, you can select a column group to apply to the Events panel.
Related Topics
Quick Look - Column Group Menu, Create Column Group Dialog, and Column Group Details Dialog
This section introduces the Column Group Menu, Create Column dialog, and the Column Group Details dialog. The following figures are examples of the Column Group menu. The example on the left (Version 11.4) has a custom column group highlighted so that the edit icon is visible. The example on the right (Version 11.5) has a built-in column group highlighted so that the information icon is visible. The table describes the options.
| Feature | Description |
|---|---|
| Visibility Options | (Version 11.5 and later) Control the types of column groups that are visible in the list, using any combination of the visibility options (blue = selected, black = not selected): Private = display private groups that only you can manage Shared = display shared groups that anyone in your organization can manage RSA = display built-in groups that only RSA can manage The visibility options work together with the Filter Column Groups field. If the visibility option is hiding built-in groups (which include "RSA" in the group name) and you search for a name that contains "RSA," the list is empty. |
| Filter Column Groups | Filters the list of column groups as you type text so that only group names that contain that text are displayed. |
| Column Group List | The list of column groups consists of custom and built-in groups, which are distinguished by the icons that precede the name. In Version 11.5 and later, custom groups can be shared or private. The RSA column groups are built-in column groups. The icons distinguish the private custom groups, shared custom groups, and built-in groups. |
| New Column Group | Displays the Create Column Group dialog, where you can create a custom column group. |
The Create Column Group dialog, shown in the figure on the left, allows you to define a custom column group. The figure on the right illustrates the Column Group Details dialog, in which you can edit a custom column group. The table describes the fields and options in the dialogs.
| Feature | Description |
|---|---|
 | Deletes the custom column group in the Column Group Details dialog. This action is irreversible and applies globally; the column group is no longer available to anyone who is using it on this service. |
| Group Name | Displays the name of the column group. The name must be unique and contain fewer than 64 characters. You can type in this field to edit the name in a custom column group. |
| Sharing | In Version 11.5 and later, you can create column groups that are shared or private. This setting is available when you first create the group. After it is created, you cannot change a shared column group to private, or a private column group to shared. |
| Filter Meta Keys | Filters the Displayed Meta Keys and Available Meta Keys based on the text that you type. Only meta keys that contain the typed text are displayed. |
| Displayed Meta Keys | Displays a scrollable list of meta keys that are selected for use in the custom column group. You can add meta keys in the Available Meta Keys list to this list, remove meta keys from this list  , and drag meta keys up or down to change the order in this list ( ). |
| Available Meta Keys | Displays a scrollable list of meta keys that are available (on the service) for use in the custom column group. You can add them to the Available Meta Keys list. Clicking  next to the meta key name adds it to the Displayed Meta Keys list. |
| Close button | Closes the dialog. |
| Save Column Group | For the Create Column Group dialog only, saves the new column group. |
| Reset | For the Column Group Details dialog only, reverts the edited column group to the last saved state. |
| Update Column Group | For the Column Group Details dialog only, applies changes to an edited column group. |
| Select Column Group | Applies the column group. |
Quick Look - Manage Column Groups Dialog
The Manage Column Groups dialog has two panels: Groups and Settings. At the bottom of this dialog are four buttons: Close, Cancel, Save, and Save and Apply.
The left panel is the Groups panel. This is where you can add, delete, import, or export column groups. At the top of the panel is a toolbar. Below the toolbar is a list of added column groups, where you can select one or more groups.
The following table lists the actions in the toolbar.
| Action | Description |
|---|---|
| | Adds a column group. Clicking this button highlights the Settings panel on the right, where you can name the column group and add or delete meta keys. At least one meta key is required to add a group. |
| | Deletes a column group. A confirmation dialog is displayed before the selected group is deleted. OOTB column groups cannot be deleted. |
| | Creates a copy of the selected column group. |
 | Displays the Import Column Groups dialog, where you can select a file to upload. |
 | Exports one or more selected groups to your local file system. |
The right panel is the Settings panel. This is where you can create and edit column groups. This panel contains the Name field, a toolbar, and a list. The following table describes the features of the Settings panel.
| Feature | Description |
|---|---|
| Name | The name of the selected column group. |
 | Adds a new row to the list of meta keys, where you can open a drop-down menu to select a new meta key. |
 | Deletes one or more selected meta keys. Displays a confirmation dialog before deleting. |
| Reset | Returns the column group to its most recently saved settings. |
| Meta Key | Lists the meta keys added to the selected column group. |
| Display Name | Lists the names of the meta keys as they are displayed in the Navigate, Events, and Event Analysis views. |
| Width | Specifies the width of each meta key's column. The width can be set between 10 and 1000. The default width is 100. |
The following table provides descriptions of the action buttons.
| Feature | Description |
|---|---|
| Close | Closes the dialog without saving. |
| Cancel | Cancels all unsaved changes. |
| Save | Saves all changes without closing the dialog. |
| Save and Apply | Saves and applies all changes immediately, closing the dialog. |
