Run a global search
- Juan Tomás Alonso Nieto (Deactivated)
- Borja Moro Moreno
Overview
You can find events containing specific values across all the data tables in their current domain using the Global search option in the data search area.
What permissions do I need to perform a global search?
In order to access this area to perform a global search, you need to have a role with the Global searches permission. If you do not have this permission, you will not be able to see the tab and hence perform any global search.
Take into account that you need to activate any level of the parent permission (Finders) to enable the permission checkbox (know more about permissions here).
Domain feature
Note that this feature is only enabled in certain domains by default so even though you have the required permissions, you might still be unable to see it. If you need to use it and is not enabled in your domain, contact the Devo support team.
Using the global search
Activity shown
In order to avoid long loading times, note that the global search only returns events from data tables that had some activity for the last 7 days. Due to this, you may miss some data in your global search results.
Setting time ranges for a global search
When setting time ranges, it is important to consider different aspects related to the type of time range specified and the method chosen to do it. You can use the interface to set absolute, relative, or snap-to dates:
Absolute: a specific interval with fixed start and end dates to see data from a specific time period.
Relative: a period of time relative to the current date (last 5 minutes, last day, etc.) to see data progression up to the present.
Snap to: a period of time that goes back to the starting point of the selected time frame to see data without unrepresentative data samples resulting from analyzing incomplete periods. For example, if it is 10:53:17 on a Tuesday:
Snap to the day: you will see data beginning at 00:00 on that same Tuesday.
Snap to the hour: you will see data beginning at 10:00.
Snap to the minute: you will see data beginning at 10:53:00.
You can set a time range using the interface or manually introduce time expressions. Select the corresponding tab below to see the desired method.
Query performed by a global search
When you perform a global search, you will access the all.data table filtered by the expression you searched for. The default operation used is Contains tokens (toktains). You will see the operation performed under the text box while you enter the expression to look for. This would be the resulting query:
from all.data
where weaktoktains(message, "user@devo.com")Case sensitive information
Note that this operation is case sensitive. To ignore case, access your user or domain settings in the Preferences area and choose Case insensitive in the Default case sensitivity in searches dropdown. In this case, the operation would be Contains tokens - case insensitive (weaktoktains).
Table fields in a global search
You can find the following fields with the following information in the table:
eventdate | The date and time in which Devo received the event. |
|---|---|
technology | The first and highest tag level. It indicates the type of technology from which the data comes. |
brand | The second tag level. It indicates the vendor of the aforementioned technology. |
phylum | The third tag level and the first optional, also known as type. It describes and categorizes the data source inside the company. |
family | The fourth tag level and the second optional, also known as subtype 1. It further describes and categorizes the data source in case subdivisions are necessary. |
genus | The fifth tag level and the third optional, also known as subtype 2. If further describes and categorizes the data source in case more subdivisions are necessary. |
species | The sixth and lowest tag level and the fourth optional, also known as subtype 3. It further describes and categorizes the data source in case even more subdivisions are necessary. |
tables | The tables in which the token appears. |
hostName | The name of the machine from which the event originated. |
hostIp | The IP address of the machine from which the event originated. |
message | The data received in the event. |
Global search result
In the capture below, we have entered the term info to check the events containing that word in all the tables in our domain. You can filter the table so that only those events contained in specific tables are shown. To do that, you can use the Any name matches (anymatches) operation.