You can use the Discover page to build tables as you submit search queries, filter the search results, and view document data. You can also see the number of documents that match any search query and get field value statistics. The distribution of documents over time appears in a histogram at the top of the page.

To access NetMon's Discover page, click the Discover  icon on the Kibana sidebar.

Use the Discover page to explore data from every session analyzed by NetMon.


Kibana Sidebar

Field List

Total Hits

Time Filter

Discover Toolbar

Refresh/Save Rule

Search Bar

Histogram 

Filter

Documents Table

Index Pattern

Set the Time Filter

The Time Filter restricts the search results to a specific time period. By default, the time filter is set to the last 15 minutes. You can use the Time Picker to change the time filter or select a specific time interval or time range in the histogram at the top of the page.

To configure custom start and end dates in the Time Filter, click the Time Filter. You will see start and end periods separated by an arrow.

Use the following instructions to set a time filter with the Time Picker.

Set a Quick Filter

  1. Click the Time Filter  icon in the toolbar.
  2. Configure the time interval under the Quick select header and click Apply, or click one of the shortcut links under the Commonly used or Recently used date ranges headers to use a previously configured time interval.

Set a Time Filter from the Histogram

  • Click the bar that represents the time interval you want to zoom in on, and then click Apply.
  • Click and drag to view a specific timespan. You must start the selection with the cursor over the background of the chart—the cursor changes to a plus sign when you hover over a valid start point.

You can use the browser's Back button to undo your changes.

The histogram lists the time range you are currently exploring, as well as the intervals that range is currently using. To change the intervals, click the link and select an interval from the drop-down. The default behavior automatically sets an interval based on the time range.

Search Your Data

You can search by submitting a query from the Discover page. You can enter simple query strings, use the Lucene query syntax, or use the full JSON-based Elasticsearch Query DSL.

When you submit a search, the histogram, Documents table, and Fields list are updated to reflect the search results. The total number of hits (matching documents) is shown in the upper-left corner of the page. The Documents table shows the first 500 hits. By default, the hits are listed in reverse chronological order, with the newest documents shown first. You can reverse the sort order by clicking on the Time column header. You can also sort the table using the values in any indexed field.

To search your data:

  1. Enter a query string in the Search field:
    • To perform a free text search, simply enter a text string. This searches all metadata that has been analyzed by NetMon.
    • To search for a value in a metadata field, prefix the value with the field name. For example, you could enter Application:smtp to limit the results to SMTP traffic.
    • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find sessions with application IDs of 7xx, you could enter ApplicationID:[700 TO 799].
    • To specify more complex search criteria, you can use the Boolean operators AND, OR, and NOT. For example, to find email messages containing an attachment, you could enter ApplicationTags:email AND Attach:true.
    These examples use the Lucene query syntax. You can also submit queries using the Kibana Query Language (KQL). For examples, see query string syntax in the Elasticsearch Reference.
  2. To submit your search query, press Enter.

Start a New Search

To clear the current search and start a new search, click New on the Discover toolbar.

Save a Search

You can reload saved searches on the Discover page and use them as the basis for visualizations. To save the current search:

  1. Click Save on the Discover toolbar.
  2. Enter a name for the search, and then click Confirm Save.

Open a Saved Search

To open a saved search:

  1. Click Open on the Discover toolbar.
  2. Select the search you want to load.

Share a Search

To share a search:

  1. Click Share on the Discover toolbar.

  2. Select whether to share the search as a snapshot (which encodes the current state of the URL) or a saved object (which lets users load the most recent saved version of the search).

    You cannot share the link as a saved object unless the search has been saved.
  3. (Optional) To shorten the search URL, click the Short URL toggle. Shortening the URL helps avoid compatibility issues with certain browsers and text editors.
  4. Click Copy link.

Inspect a Search

This function queries Elasticsearch to fetch information on your search. To inspect a search, click Inspect on the Discover toolbar.

Automatically Refresh the Page

You can configure a refresh interval to automatically refresh the page with the latest index data. This periodically resubmits the search query.

When a refresh interval is set, it appears in the time filter.

To set the refresh interval:

  1. Click the Time Filter  icon.
  2. Under the Quick select header, set a refresh interval.
  3. Click Apply.

To automatically refresh the data:

  1. Under the Refresh every header, select an auto-refresh interval.
  2. Click Start.
    When auto-refresh is enabled, the time filter icon changes to a clock: 
  3. To stop auto-refresh, click Stop.

Filter by Field

You can filter the search results to display only those documents that contain a particular value in a field. You can also create negative filters that exclude documents that contain the specified field value.

You can add filters from the search bar, the fields list, or the Documents table. When you add a filter, it appears in the filter bar below the search bar. From the filter bar, you can enable or disable a filter, invert the filter (change it from a positive filter to a negative filter or a negative to a positive), toggle the filter on or off, or remove it entirely. To collapse the list, click the Filters box next to the search bar.

Add a Filter from the Search Bar

  1. Click the Filters box next to the search bar.
  2. Click Add filter.
  3. Select a Field, select an Operator, and then enter a value in the Value field.
  4. (Optional) Click the Create custom label? slider on or off.
  5. Click Save.
    The filter appears under the search bar.

Add a Filter from the Fields List

  1. Click the name of the field you want to filter on. This displays the top five values for that field. To the right of each value, there are two magnifying glass buttons—one for adding a regular (positive) filter, and one for adding a negative filter.
  2. To add a positive filter, click the Positive Filter button. A positive filter includes only documents that contain that value in the field.
  3. To add a negative filter, click the Negative Filter button. A negative filter excludes any documents that contain that value in the field.
    The filter appears under the search bar.

Add a Filter from the Documents Table

  1. Expand a document in the Documents table by clicking the Expand button to the left of the document’s entry in the first column (the first column is usually Time). To the right of each field name, there are two magnifying glass buttons—one for adding a regular (positive) filter, and one for adding a negative filter.
  2. To add a positive filter based on the document’s value in a field, click the Positive Filter button. A positive filter includes only documents that contain the specified value in that field.
  3. To add a negative filter based on the document’s value in a field, click the Negative Filter button. A negative filter excludes any documents that contain the specified value in that field.
    The filter appears under the search bar.

Work with Filters

When you create a filter anywhere in NetMon, the filter conditions display in a box under the search bar. The number of active filters appears on the right side of the Filters box.

Clicking on a filter box displays the following options:

Pin across all apps

Click this option to pin the filter across all tabs in NetMon, ensuring they remain in place for different visualizations and dashboards. You can unpin the filter by clicking the icon (which now says "Unpin") again.

Edit filter

Click this option to edit a filter. For more information, see Filter by Field.

Exclude results

Click this option to exclude results from the current view. You can toggle this setting back to include by clicking the icon (which now says "Include filters") again.

Temporarily disable

Click this option to disable the filter without removing it. You can enable a disabled filter by clicking the icon (which now says "Re-enable") again.

Delete

Click this option to remove a filter entirely.

View Document Data

When you submit a search query, the 500 most recent documents that match the query are listed in the Documents table. You can add fields to the Documents table from the Fields list. You can sort the listed documents by any indexed field that’s included in the table.

To view a document’s field data, click the Expand  icon to the left of the document’s entry in the Time column. NetMon reads the document data from Elasticsearch and displays the document fields in a table.

  • To view the original JSON document (pretty-printed), click the JSON tab.
  • To view document data in the context of newer and older documents, click View surrounding documents.
  • To view the document data as a separate page, click View single document.
  • To collapse the document details, click the Collapse  icon.
  • Hover over a metadata row to see filter buttons and field values.
    • To add an include filter, click .
    • To add an exclude filter, click .
    • To toggle a field's column in the Documents table, click .
    • To add an exists filter, click .

Add Field Columns to the Documents Table

By default, the Documents table shows the localized version of the time field and the document source. You can add fields to the table from the Fields list or from a document’s expanded view.

Add a Field from the Fields List

  1. Hover over a field in the Fields list that you want to add, and then click add.
  2. Repeat until you’ve added all the fields you want to display in the Documents table.

Add a Field from the Documents Table

  1. In the Documents table, hover over the field you want to add, and then click the Toggle column in table  button.
    The added field columns replace the _source column in the Documents table. The added fields are also listed in the Selected Fields section at the top of the field list.
  2. To rearrange the field columns in the table, point to the header of the column you want to move, and then click the Move button ( or ).

Remove Field Columns from the Documents Table

To remove field columns from the Documents table:

  1. Hover over the field you want to remove, and then click its remove  button.
  2. Repeat until you’ve removed all the fields you want to drop from the Documents table.

View Field Data Statistics

From the Fields list, you can see how many documents in the Documents table contain a particular field, what the top five values are, and what percentage of documents contain each value.

To view field data statistics, click the name of a field in the Fields list. The field can be anywhere in the Fields list: Selected Fields or Available Fields.