Any user can access this feature.

Axon uses analytic rules to examine ingested and normalized logs and generate observations. Any record that displays in search results which was detected by an Analytics Rule is considered an observation. Observation records appear in bold text and are marked with the following icon next to the first column :

Clicking any cell in an observation row opens the Inspector panel on the right.

Related observations that share a specific common event display the icon, which opens the more detailed Observation Cluster window.

Refer to Clusters for more information.

The following fields are unique to the Observation Inspector:

Source Rule

Shows the name of the Rule that triggered this observation.

The description below the name explains how the observation was triggered.

Trigger Logs

The number of logs in the last 24 hours that caused the rule to generate an observation.

Click the value to show the logs.

Heat MapShows a 24 hour bar graph, with column sizes based on the number of times the observation was triggered per hour.

The number of logs containing content that caused the observation to be raised.

Clicking the x Items link opens the Children panel, which shows the triggering logs in more detail. Clicking Open in Search in the Children panel shows a list of the children in a separate search.

Rule Last 24h

The number of observations generated by the Source Rule in the last 24 hours.

Click the value to show the observations.

Last FiredThe timestamp of the most recent observation generated by the Source Rule.

Observation Actions

The following actions are available upon clicking the three-dot menu in the observation window:

View Trigger LogsClick to show a list of the observation's children (the logs that triggered the observation) in a separate search.
Find Related ObservationsClick to show all related observations, which were triggered because of the same rule.
Go to Rule DefinitionClick to show the rule that triggered the observation.