.Run a global search vv7.1.0
- Borja Moro Moreno
- Former user (Deleted)
- Juan Tomás Alonso Nieto (Unlicensed)
Users with the necessary permissions can run a global search in Devo to find events containing specific values across all the data tables in their current domain.
Note that this feature is only enabled in certain domains by default. If you need to use it and is not enabled in your domain, contact the Devo support team.
- Go to Data search and select the Global search tab.
- Enter the expression you want to search for. You can use standard AND and OR operators, use an asterisk ( * ) as a wildcard, or quotation marks ( "" ) to indicate exact expressions. For example: user1@domain.comORuser2@domain.comAND"illegal access"AND*apache
- Select the time period over which you want to search.
Select the tables that you wish to search. Note that, by default, all tables are selected, and switching off one of them will switch off the Select all tables option.
- Hit the ENTER key to run the search.
To avoid long loading times, note that the global search only returns events from data tables that had some activity for the last 7 days.
Which is the query performed by a global search?
When you perform a global search, you will access the all.data table filtered by the expression you searched for. The default operation used is Contains tokens (toktains).
Note that this operation is case sensitive. To ignore case in a global search, you have to access your user or domain settings in the Preferences area and choose Case insensitive in the Default case sensitivity in searches dropdown. In this case, the operation used to filter the data is Contains tokens - case insensitive (weaktoktains). Internally Devo considers the expression you are searching for as a token.
You will see the query performed under the text box while you enter the expression to look for. In the capture below, we are performing a case insensitive search, and this would be the resulting query:
from all.datawhere weaktoktains(message, "user@devo.com") |
|---|
You can find the following columns in the table:
| eventdate | The date and time in which Devo received the event. |
|---|---|
| technology | The first and highest tag level. It indicates the type of technology from which the data comes. |
| brand | The second tag level. It indicates the vendor of the aforementioned technology. |
| phylum | The third tag level and the first optional, also known as type. It describes and categorizes the data source inside the company. |
| family | The fourth tag level and the second optional, also known as subtype 1. It further describes and categorizes the data source in case subdivisions are necessary. |
| genus | The fifth tag level and the third optional, also known as subtype 2. If further describes and categorizes the data source in case more subdivisions are necessary. |
| species | The sixth and lowest tag level and the fourth optional, also known as subtype 3. It further describes and categorizes the data source in case even more subdivisions are necessary. |
| tables | The tables in which the token appears. |
| hostName | The name of the machine from which the event originated. |
| hostIp | The IP address of the machine from which the event originated. |
| message | The data received in the event. |
Be aware that sometimes the tags from the columns do not coincide with the tables in which the token appears. This is because those tables extract information and metadata from the ones in which they actually appear.
In the capture below, we have entered the term info to check the events containing that word in all the tables in our domain.
You can filter the table so that only those events contained in specific tables are shown. To do that, you can use the Any name matches (anymatches) operation.