Observations
Any user can access this feature.
Axon uses analytic rules to examine ingested and normalized logs and generate observations. Any record that displays in search results which was detected by an Analytics Rule is considered an observation. Observation records appear in bold text and are marked with the following icon next to the first column:
Clicking any cell in an observation row opens the Inspector panel on the right.
Related observations that share a specific common event display the following icon, which opens the more detailed Observation Cluster window:
Refer to Clusters for more information.
The following fields are unique to the Observation Inspector:
| Field | Description |
|---|---|
| Source Rule | Shows the name of the Rule that triggered this observation. The description below the name explains how the observation was triggered. |
| Trigger Logs | The number of logs in the last 24 hours that caused the rule to generate an observation. Click the value to show the logs. |
| Heat Map | Shows a 24 hour bar graph, with column sizes based on the number of times the observation was triggered per hour. |
| Children | The number of logs containing content that caused the observation to be raised. Clicking the x Items link opens the Children panel, which shows the triggering logs in more detail. Clicking Open in Search in the Children panel shows a list of the children in a separate search. |
| Rule Last 24h | The number of observations generated by the Source Rule in the last 24 hours. Click the value to show the observations. |
| Last Fired | The timestamp of the most recent observation generated by the Source Rule. |
Observation Actions
The following actions are available upon clicking the three-dot menu in the observation window:
| Action | Description |
|---|---|
| View Trigger Logs | Click to show a list of the observation's children (the logs that triggered the observation) in a separate search. |
| Find Related Observations | Click to show all related observations, which were triggered because of the same rule. |
| Go to Rule Definition | Click to show the rule that triggered the observation. |
Subscribe to Observation Email Updates
You can sign up to receive notifications both in Axon and via email each time an observation is triggered as a result of a Rule firing.
For more information, see the Observation Alerts topic.