Document toolboxDocument toolbox

Searching data

Overview

In Devo, an event is a single collection of data, just like a record in a log file. All events are assigned tags to identify some key characteristics and to group them into virtual data tables in Devo.

When you run a search in Devo, you specify tags so that it can access the file where events classified with those tags are stored. Each file collects the events of the same data source in rows. Recognized tag combinations have a parser associated that renders the information as a table with rows and columns. The parser assigns data types to each column of the table.

To start searching data, choose Data search in the navigation panel.

The main area where you can perform searches is the Explore your data tab, which has five different tabs to provide different ways of performing the searches or to interact with them. In one of these tabs you find the Finders section, where you render the desired table by selecting the different levels of tags.

Once you open a search, the search window includes options that allow you to narrow the results to only the columns you need; display specific information of the events; or sort and filter the data. You can then start manipulating the data using the wide range of operations available in order to get the required information and build your required query.

For example, you can create additional columns, group the data using a specific period of time, or aggregate the data to apply specific calculations. You can create several paths of operations within a single search, allowing you to access multiple query levels just with one click.

Devo Cyber Information Model (DCIM)

The Devo Cyber Information Model (DCIM) is designed to help customers and partners share information about events, cyber threats and incidents in a consistent and structured way. The DCIM provides a common set of terms and definitions that can be used to describe various types of data once it has been ingested and made available in Devo. This helps to ensure that everyone and everything across Devo uses the same language when describing cyber and IT data, making it easier to share, contextualize, and analyze information.

One of the DCIM goals is to follow a standard naming convection in table field names. DCIM strategy consists on replacing non-standard table field names by their corresponding DCIM field names in such a way it allows backwards compatibility.

Specifically, it affects the parsing of data after ingestion and during querying, thereby standardizing the following in Devo:

  • Table field names, visible in the Data search area finders and in the search window.

  • Common union table names (that is, union tables available in every Devo domain), visible in the Data search area finders and in the search window. Learn more about common union tables Union tables.

Currently, DCIM is only applied to a set of common union tables. DCIM will be gradually applied to the rest of union tables and general table fields.

The searching data process