Discover¶
Discover gives you an overview of all logs being collected in real time. Here, you can filter the data by time and field.
Navigating Discover¶
Terms¶
Total count: The total number of logs in the timeframe being shown.
Aggregated by: In the bar chart, each bar represents the count of logs collected within a time interval. Use Aggregated by to choose the time interval. For example, Aggregated by: 30m means that each bar in the bar chart shows the count of all of the logs collected in a 30 minute timeframe. If you change to Aggregated by: hour, then each bar represents one hour of logs. The available options change based on the overall timeframe you are viewing in Discover.
Filtering data¶
Change the timeframe from which logs appear, and filter logs by field.
Tip: Why filter data?
Logs contain a lot of information, more than you need to accomplish most tasks. When you filter data, you choose which information you see. This can help you learn more about your network, identify trends, and even hunt for threats.
Examples:
- You want to see login data from just one user, so you filter the data to show logs containing their username.
- You had a security event on Wednesday night, and you want to learn more about it, so you filter the data to show logs from that time period.
- You notice you don't see any data from one of your network devices. You can filter the data to see all the logs from just that device. Now, you can see when the data stopped coming, and what the last event was that might have caused the problem.
Changing the timeframe¶
You can view logs from a specified timeframe. Set the timeframe by choosing start and end points using this tool:
Remember: Once you change the timeframe, press the blue refresh button to update your page.
Using the time setting tool¶
Setting a relative start/end point¶
To set the start or end point to a time relative to now, use the Relative tab.
Quick time settings
Use the quick now- ("now minus") options to set the timeframe to a preset with one click. Selecting one of these options affects both the start and end point. For example, if you choose now-1 week, the start point will be one week ago, and the end point will be "now." Choosing a now- option from the end point does the same thing as choosing a now- option from the start point. (You can't use the now- options to set the end point to anything besides "now.")
Drop-down options
To set a relative time (such as 15 minutes ago) for the start or end point, use the relative time options below the quick setting options. Select your unit of time from the drop-down list, and type or click to your desired number.
To confirm your choice, click Set relative time, and view the logs by clicking on the refresh button.
Example shown: This selection will show logs collected starting from one day ago until now.
Setting an exact start/end point¶
To choose the exact day and time for the start or end point, use the Absolute tab and select a date and time on the calendar.
To confirm your choice, click Set date.
Example shown: This selection will show logs collected starting from June 7, 2023 at 6:00 until now.
Auto refresh¶
To update the view automatically at a set time interval, choose a refresh rate:
Refresh¶
To reload the view with your changes, click the blue refresh button.
Note: Don't choose "Now" as your start point. Since the program can't show data newer than "now," it's not valid, so you'll see an error message.
Using the time selector¶
To select a more specific time period within the current timeframe, click and drag on the graph.
Filtering by field¶
In Discover, you can filter data by any field in multiple ways.
Using the field list¶
Use the search bar to find the field you want, or scroll through the list.
Isolating fields¶
To choose which fields you see in the log list, click the + symbol next to the field name. You can select multiple fields.
Seeing all occuring values in one field¶
To see a percentage breakdown of all the values from one field, click the magnifying glass next to the field name (the magnifying glass appears when you hover over the field name).
Tip: What does this mean?
This list of values from the field http.response.status_code compares how often users are getting certain http response codes. 51.4% of the time, users are getting a 404 code, meaning the webpage wasn't found. 43.3% of the time, users are getting a 200 code, which means that the request succeeded. The high percentage of "not found" response codes could inform a website administrator that one or more of their frequently clicked links are broken.
Viewing and filtering log details¶
To view the details of individual logs as a table or in JSON, click the arrow next to the timestamp. You can apply filters using the field names in the table view.
Filtering from the expanded table view¶
You can use controls in the table view to filter logs:
Filter for logs that contain the same value in the selected field (update_item
in action
in the example)
Filter for logs that do NOT contain the same value in the selected field (update_item
in action
in the example)
Show a percentage breakdown of values in this field (the same function as the magnifying glass in the fields list on the left)
Add to list of displayed fields for all visible logs (the same function as in the fields list on the left)
Query bar¶
You can filter for field (not time) using the query bar. The query bar tells you which query language to use. The query language depends on your data source. Use Lucene Query Syntax for data stored using ElasticSearch.
After you type your query, set the timeframe and click the refresh button. Your filters will be applied to the visible incoming logs.
Investigating IP addresses¶
You can investigate IP addresses using external analysis tools. You might want to do this, for example, if you see multiple suspicious logins from one IP address.
Using external IP analysis tools
1. Click on the IP address you want to analyze.
2. Click on the tool you want to use. You'll be taken to the tool's website, where you can see the results of the IP address analysis.