Document toolboxDocument toolbox

Filter data

Once inside the search window with the desired search open, apply filters to table data to isolate or exclude specified field values. The results are returned immediately and displayed in chronological order and at the same time. The timeline is updated to match the query.

You can filter your data in several different ways:

Using the Operations over fields window

You can use this window to specify the arguments needed for the operation following the procedure explained below:

Using the field header list of values

Select the arrow icon that appears when hovering over a field header to see the list of distinct values in that field, then click a value name. The Operations over fields window will be open in the Filter tab, and the Equal - case insensitive (eqic) operation selected. The field and value selected will be automatically added as arguments of the filter.

Using cell value

Alternatively, you can use a cell's content as filtering criteria to quickly include all the arguments needed for the operation. If you place the cursor over a cell on the data table and press Enter, the Operations over fields window will open with the Filter tab and the Equal - case insensitive (eqic) operation selected. The arguments will be automatically filled with the values of the cell and its field (Value → Field, Is equal to → Cell).

Using cell value to filter in a new tab

 

You can also use a cell's content as filtering criteria and show the result in a different browser tab. Right-click on a cell and select Filter in another tab by (...) and a new browser tab will open to display the result of this filter operation without losing the previous search.

These separate searches function as independent searches, so modifying or closing one does not affect the other. This way we experience a higher degree of versatility in our workflow getting the ability to work with different variables and outcomes separately, and additionally, we get the ability to perform the filter operation with just two clicks.

Filter on raw

In all data tables, the entire event is logged in a Raw field displaying event data as a string. This string will be logged as various names depending on the table: rawMessage, rawSource, or raw.

Use the Filter on raw field to search for keywords throughout the entire raw data field, instead of filtering by specific field.

Naming protocol

Given the different names for raw fields, the LINQ expression will differ as follows (in order of search priority):

  1. where weaktoktains (rawMessage, “<value>”)”

  2. where weaktoktains (rawSource, “<value>”)”

  3. where weaktoktains (raw, “<value>”)”

Related article: