Skip to content

Using Discover

Discover gives you an overview of all logs being collected in real time. Here, you can filter the data by time and field.

discover navigation discover navigation

Terms

Total count: The total number of logs in the timeframe being shown.

Aggregated by: In the bar chart, each bar represents the count of logs collected within a time interval. Use Aggregated by to choose the time interval. For example, Aggregated by: 30m means that each bar in the bar chart shows the count of all of the logs collected in a 30 minute timeframe. If you change to Aggregated by: hour, then each bar represents one hour of logs. The available options change based on the overall timeframe you are viewing in Discover.

Filtering data

Change the timeframe from which logs appear, and filter logs by field.

Tip: Why filter data?

Logs contain a lot of information, more than you need to accomplish most tasks. When you filter data, you choose which information you see. This can help you learn more about your network, identify trends, and even hunt for threats.

Examples:

  • You want to see login data from just one user, so you filter the data to show logs containing their username.
  • You had a security event on Wednesday night, and you want to learn more about it, so you filter the data to show logs from that time period.
  • You notice you don't see any data from one of your network devices. You can filter the data to see all the logs from just that device. Now, you can see when the data stopped coming, and what the last event was that might have caused the problem.

Changing the timeframe

You can view logs from a specified timeframe. Set the timeframe by choosing start and end points using this tool:

timeframe tool timeframe tool

Remember: Once you change the timeframe, press the blue refresh button to update your page.

Using the time setting tool

Setting a relative start/end point

To set the start or end point to a time relative to now, use the Relative tab.

Quick time settings

Use the quick now- ("now minus") options to set the timeframe to a preset with one click. Selecting one of these options affects both the start and end point. For example, if you choose now-1 week, the start point will be one week ago, and the end point will be "now." Choosing a now- option from the end point does the same thing as choosing a now- option from the start point. (You can't use the now- options to set the end point to anything besides "now.")

Drop-down options

To set a relative time (such as 15 minutes ago) for the start or end point, use the relative time options below the quick setting options. Select your unit of time from the drop-down list, and type or click to your desired number.

To confirm your choice, click Set relative time, and view the logs by clicking on the refresh button.

Example shown: This selection will show logs collected starting from one day ago until now.

set relative time set relative time

Setting an exact start/end point

To choose the exact day and time for the start or end point, use the Absolute tab and select a date and time on the calendar.

To confirm your choice, click Set date.

Example shown: This selection will show logs collected starting from June 7, 2023 at 6:00 until now. set absolute time set absolute time

Auto refresh

To update the view automatically at a set time interval, choose a refresh rate: auto refresh auto refresh

Refresh

To reload the view with your changes, click the blue refresh button. refresh refresh

Note: Don't choose "Now" as your start point. Since the program can't show data newer than "now," it's not valid, so you'll see an error message.

Using the time selector

To select a more specific time period within the current timeframe, click and drag on the graph.

time selector time selector

Filtering by field

In Discover, you can filter data by any field in multiple ways.

Using the field list

Use the search bar to find the field you want, or scroll through the list.

field orientation filed orientation

Isolating fields

To choose which fields you see in the log list, click the + symbol next to the field name. You can select multiple fields.

Example: selected fields example selected fields example

Seeing all occuring values in one field

To see a percentage breakdown of all the values from one field, click the magnifying glass next to the field name (the magnifying glass appears when you hover over the field name).

Example: percentage breakdown percentage breakdown

Tip: What does this mean?

This list of values from the field http.response.status_code compares how often users are getting certain http response codes. 51.4% of the time, users are getting a 404 code, meaning the webpage wasn't found. 43.3% of the time, users are getting a 200 code, which means that the request succeeded. The high percentage of "not found" response codes could inform a website administrator that one or more of their frequently clicked links are broken.

Viewing and filtering log details

To view the details of individual logs as a table or in JSON, click the arrow next to the timestamp. You can apply filters using the field names in the table view.

expanded log views expanded log views

Filtering from the expanded table view

You can use controls in the table view to filter logs: table view controls table view controls

Filter for logs that contain the same value in the selected field (update_item in action in the example)

Filter for logs that do NOT contain the same value in the selected field (update_item in action in the example)

Show a percentage breakdown of values in this field (the same function as the magnifying glass in the fields list on the left)

Add to list of displayed fields for all visible logs (the same function as in the fields list on the left)

Query bar

You can filter for field (not time) using the query bar. The query bar tells you which query language to use. The query language depends on your data source. Use Lucene Query Syntax for data stored using ElasticSearch.

After you type your query, set the timeframe and click the refresh button. Your filters will be applied to the visible incoming logs.

Investigating IP addresses

You can investigate IP addresses using external analysis tools. You might want to do this, for example, if you see multiple suspicious logins from one IP address.

Using external IP analysis tools

1. Click on the IP address you want to analyze.

clickable IP addresses clickable IP addresses

2. Click on the tool you want to use. You'll be taken to the tool's website, where you can see the results of the IP address analysis.

external analysis tools external analysis tools