GETTING STARTED
      Back to home
      1. KNOWLEDGE BASE
      2. HUNTING WITH WORKBOOKS
      3. GETTING STARTED

      Create a Search Block

      Search block has been added to create queries by selecting the predefined directives, filters, functions etc. This query builder is an intelligent query processing feature which helps to form queries for new users without prior knowledge of the DQL. The DNIF Query GUI interface lets you search through the data gathered and collated by DNIF. This section introduces you to the various elements and query directives you can use to work with this interface.

      How to add a Search Block?

      • Hover on the Workbooks icon on the left navigation bar, it will display the folder wise view of existing workbooks in the cluster.

      image.png

      • Click the plus icon at the top right corner , the following Search GUI screen will be displayed.
        OR
      • Click search icon on the left navigation bar, the following screen will be displayed.

      The Search Block is the default block, it will be automatically displayed every time you try to create or add a new workbook.

      image.png
      • You can now select streams while building a query using the search block. Select the stream, filters, and set the duration to fetch details
      Field Name Description
      Filter Below are the Filter functions
      $Stream Select the required stream filter. The stream filter is divided into three categories
      • Recent: Displays the list of streams accessed in the last five minutes.
      • Active: Displays the list of streams that are accessed frequently
      • Other: Displays the list of streams that are not accessed.
      Operators The valid boolean operators for search result are:
      • AND: The AND operator displays a record if all the conditions separated by AND are TRUE.
      • NOT: The NOT operator displays a record if the condition(s) is NOT TRUE.
      Field Select the required field
      Expression Select the required operator expression
        The values are:
      • = Equal to
      • > Greater than
      • < Less than
      Value Enter the required value as per the selected field
      Aggregate image.png Below are the Aggregate Functions
      Select Type Performs arithmetic functions on a specified field in the entire result set.
        The values are:
      • Sum: Summation of the specified compute field in the entire result set.
      • Min: Minimum value of the specified compute field in the entire result set.
      • Max: Maximum value of the specified compute field in the entire result set.
      • Avg: Average of the specified compute field in the entire result set.
      • Count_unique: Counts the rows in each group.
      Select Field Value Select the specific field on which the arithmetic function should be performed.
      Filter image.png Used to add filters to the query based on your requirement.
      image.png / image.png Used to hide or unhide the query results
      Rows Used to select number of rows to be displayed.
      Duration Used to select a time range based on your requirement.
      • Last one day: Displays the signals raised during the last one day.
      • Last hour: Displays the signals raised during the last one hour.
      • Last thirty minutes: Displays the signals raised during the last thirty minutes.
      • Last day: Displays the signals raised during the last 24 hours
      • Last week: Displays the signals raised during the last week
      • Last month: Displays the signals raised during the last month
      • Custom Range: Allows you to set a customized date and time range as per your requirement.
      image.png Used to search raw payload, with logevent in query or payload flag.

      Note: Default searches do not include raw payload unless logevent is referred in query or with payload flag.

      For example,

      • _fetch $CNAMTime, $LogEvent from event limit 10
      • _fetch * from event where $LogEvent=DESKTOP limit 10
      • _fetch * from event where $Stream=FIREWALL limit 10 with payload
      image.png Used to filter the query result based on your requirement.
      image.png Used to export logs in CSV format
      • Select/Enter the required fields to build your query and click Run, a progress bar will be displayed showing that the query is being processed.

      image.png

      • Once the query is successfully processed, the results will be displayed as below.

      image.png

      • Click Information icon, to view log details. You can view the log details in JSON and TABLE format.

      image.png

      • Click Copy icon, to copy the details to clipboard.

      For more details on details on Workbooks, refer Create a Workbook

       How to use the search block?

       
      Search is the query builder that will assist you in forming queries even if you don't have any knowledge of DQL
      Follow the steps below to build a query using search block.
      • On adding a search block, the following screen will be displayed.
      • On the above screen, the duration last 5 minutes an $Stream=FIREWALL and LIMIT 100 is set by default, this is a simple query that would retrieve 100 records of the FIREWALL Stream in the last 5 minutes as in the screen below.

        You can customize the query as per your requirement by changing the duration and adding filters.