...
Events in a data table can easily be grouped to facilitate analysis. The result of grouping is a data table presenting all the different row value combinations of the grouped columnsfields. Grouping is also required in order to subsequently apply aggregation operations to the data.
| Rw ui steps macro |
|---|
Select the Group icon in the search window toolbar and the Operations over columnsfields window appears with the Group tab selected.  Image Removed Image AddedChoose the required Grouping method and Partial Results results options: Grouping method | Non-time-based |
|---|
Select this option to get all the possible combinations of the columns fields added as arguments over the selected time range. In the following example, we have grouped the data using the Server and OperatingSystem columns fields as arguments to get all the possible combinations of operating systems and servers. Image Removed Image Added| Note |
|---|
Real-time data flow Be aware that, if activated, the real-time data flow will stop with this grouping option. You will get a warning message and the time will be automatically set to the current date. |
| Time-based | Include a time period when you group data in order to facilitate data analysis. Select the period you want to group by in the Every field. Note that the more columns fields you add as arguments in a temporal grouping, the less information you will extract, since the result will look more and more like the original table. | Partial results | No |
|---|
Choose No to wait for the server to resolve the whole grouping. | Yes | Choose Yes if you want to fetch the events from the server grouped in temporal chunks. This option is only available if Server mode is disabled in your search. | Info |
|---|
How Partial results work When Server mode is activated, as the server is the one that solves the entire grouping, the Partial results selection is disabled. However, when Server mode is disabled, users will be able to fetch the events from the server as a whole (Partial results = No) or grouped in temporal chunks and then reaggregated in the browser (Partial results = Yes). The server period corresponding to those temporal chunks is calculated according the following algorithm: Algorithm rules: The server periodis based onthe query date interval. The server periodmust be less than the query date interval. The server periodmust be one of the options available in the grouping dropdown list.
Algorithm process First, the algorithm checks the data variability expected. Then: If a lot of variability is expected, the objective will be 3 server periods. For that purpose, the algorithm divides the interval by 3 and rounds up. For example, if date interval is 17m, we will have 17m / 3 = 5,67m that rounded up to the nearest available period will be 10m. If not a lot of variability is expected, the objective will be 10 server periods. For that purpose, the algorithm divides the interval by 10 and rounds up. For example, if date interval is 17m, we will have 17m / 10 = 1,7m that rounded up to the nearest available period will be 2m.
|
|
Choose the required Arguments for the grouping. Click Add argument and select the required table columns fields to be included in the grouping. Click Group. The result will be a row for each unique combination of arguments and time period. After grouping the data, you can repeat these steps to continue applying groups as many times as necessary. |
...
Server grouping period - The first tab is the grouping period asked requested to the server. When you select a large period for your grouping, the server is requested to download a smaller interval, and is then recalculated to show the period you chose.
Client grouping period - The second tab is the grouping period used by your browser and is the actual period you indicated in the grouping. Modifying this period does not request data to the server again, but only recalculates the groups locally.
...
