This page has instructions for performing a query, otherwise known as a pivot, in Investigation Workflow. To run the pivot without modifying the query in any way, see Run a default pivot below. If you’d like to tailor the query time range, search on multiple link values, or change the way that events are presented in query results, see Modify a Pivot below. You can also Create a pivot from scratch.
Run a default pivot
When you run a pivot without modifying it:
- The query time range is the time range currently selected on the Investigation tab.
- The primary query will include a single link value, the one you click.
- Query chaining is enabled.
- The events returned by the pivot in the query results portion of the Investigation tab will be presented as factors, as opposed to in raw or detailed form.
If you don’t want to change any of the default settings for a pivot, you can run it in either of these ways:
- Click a blue link value in a factor.
- Shift-click a link value in a factor, and click Pivot in the popup menu.
The pivot will use the time range currently selected in the Investigation tab.
Modify a pivot
When you perform a pivot, you can modify it to set a specific timerange, add additional link values to the query, and choose the format in which events are presented in query results.
To modify a pivot query
- Shift-click a blue link value. A context menu displays a variety of options, depending on the link value type.
- Click Add to Pivot.The New Pivot dialog appears in the upper right side of the page. Note that:
- The Start and End fields are populated with the date range from the current pivot.
- The Link Values section show the link value you just clicked, and its type.
- Previous pivots are shown under the Recent label.
- Note. Enter a note to describe the pivot.
- Start. To change the start of the time range, click the Start field. You can:
- Select Previous Day to shift the start of the range back by 24 hours.
- Select Next Day to shift the start of the range ahead by 24 hours.
- Select Trailing Week to shift the start of the range back by 7 days.
- Enter a date explicitly in the Start field.
- End. To change the end of the time range, enter the new end date in the End field.
- Link Values. You can add or remove link values from the pivot.
- If you want to remove the current link value from the query, click the X next to it.
- To add a link value to the query, enter a link value in field provided. Investigation Workflow will suggest the link type, but some link types, like user and host names, are ambiguous. If the wrong link type is shown, select the correct type.
- Add additional link values as desired.
- Chain. If you leave this selected, when Investigation Workflow runs the query, it will also run secondary queries on all the link values in the factors returned by the primary query. For more information, see Queries are chained by default.
- Factored/Detail/Raw. You can use these radio buttons to select the format in which event returned by the query are presented. By default, event factors are presented. Click Detail to view all of the name-value pairs that Investigation Workflow parsed from the event, or Raw to view the raw log message.
- Click Pivot to run the query.
Create a pivot from scratch
While you are working on an investigation you can construct a new pivot.
- On the Investigation tab, click the plus sign (+) near the upper right of the page.
- The New Pivot popup appears.
- Note. Enter a short note to associate with this pivot.
- Start and End. Enter the start and end time for the pivot. Start and end time each consist of a date and a time of day. Many different input formats are supported. The simplest form is month and day, like this:
If you do not specify a time, the default is midnight.
- Link Values. Enter one or more link values. Investigation Workflow will suggest the link type, but some link types, like user and host names, are ambiguous. If the wrong link type is shown, select the correct type.
- Chain. This option allows you run secondary queries on all the link values in the factors returned by the primary query. For information about chained queries, see Queries are chained by default.