Perform Pivot Searches
Pivot searches offer two methods for building and running searches based on event metadata. You can run a pivot search from the Analyzer grid or from a TopX widget in the Dashboard. A pivot search from the Analyzer grid defaults to the log date and time, while a pivot search from a TopX widget defaults to the current time and date. Additionally, a pivot search from the Analyzer grid displays results for all metadata that go into the poly fields Host and Application. Host has the values Known Host, Hostname, and IP Address, while Application has the values Known Application, TCP/UDP port, and Protocol. A pivot search from a TopX widget only allows you to search the exact value shown in the widget.
To run a pivot search:
- Do one of the following:
- On either the Dashboards page or Analyze page, on the lower-right side of the page, click the Logs tab to open the Analyzer grid.
- Hover your mouse over the metadata field containing the value that you want to search.
A Configuration icon appears in the field. - Click the Configuration icon. The event row turns blue and the Inspector panel appears. The metadata type and value as well as the Log Date are listed in the Inspector panel.
- Hover your mouse over the metadata field containing the value that you want to search.
- On the navigation bar, click Dashboards.
- On a TopX widget in the dashboard, hover your mouse over the widget and click the Settings icon.
A blue border appears around the widget and the Inspector panel opens on the right. Click the label or the chart element that represents the metadata you want to pivot against.
Be sure to only click once. Double-clicking initiates a drilldown search. For more information, see Drill into Chart Metadata from the Dashboards.
- On a TopX widget in the dashboard, hover your mouse over the widget and click the Settings icon.
- On either the Dashboards page or Analyze page, on the lower-right side of the page, click the Logs tab to open the Analyzer grid.
(Optional) To narrow your search to a specific time frame, type the time (in hours and minutes) before the date in the hh and mm fields on the left side of the box, and type the time after the date in the time fields on the right side of the box. When pivoting from the Analyzer grid, the date and time shown are the log date and time. When pivoting off a widget, the date and time shown are the current date and time.
If you are building a pivot search based on multiple metadata values, you can also specify a time frame in a later step using the Advanced Search dialog box. If a time frame is never specified, the time criteria for the search defaults to the last 24 hours.
- Do one of the following:
- If the search criteria is sufficient, click Search Now.
The search begins processing. For further instructions, see Use Search. - To continue adding search criteria using the Pivot Search feature and/or the Advanced Search dialog box, proceed as follows:
Click + Add to Search.
A search task floats towards the Search button on the upper menu bar. A blue oval appears next to the button indicating that a search value has been added to the Advanced Search dialog box.(Optional) Continue adding search criteria with Pivot Search using the same procedures described in the preceding steps 1 through 3.
The number in the blue oval next to the Search button increases for every item that you add to the search.Click Search on the upper menu bar to display the Advanced Search dialog box.
(Optional) Continue to refine your search in the Advanced Search dialog box as needed by following the same procedures described in Use Search.
When you are ready to start the search, see Use Search for further instructions.
- If the search criteria is sufficient, click Search Now.