Drill down

When you see an interesting top-level metric about protocol activity on a device, a device group, an activity group, or an application page, you can drill down to investigate which factors are linked to that activity. Drilling down on a metric lets you investigate metric values broken down by key, such as client IP address, server IP address, methods, or resources.

1. Click Metrics and then click Device, Device Group, Activity Group, or Application in the left pane.
2. Click a device, group, or application name.
3. Click on a metric value or a metric label in the chart legend. A menu appears.

   Tip:	You can also click a drill-down shortcut button in the Drill Down section in the upper right corner of the page.

4. In the Drill down by… section, select a key. A drill-down metrics page with a topnset of metric values by key appears. You can view up to 1,000 key values in a topnset.

   Tip:	If a View More link appears at the bottom of a chart, click View More to drill down on the metric displayed in the chart.

When you see an interesting top-level metric about network activity on a flow network or flow interface page, you can drill down to investigate which factors are linked to the activity. Drilling down on a metric lets you investigate metric values broken down by peer IP addresses, protocols and ports, conversations, and sender and receiver IP addresses.

1. Click Metrics and then click Networks in the left pane.
2. Click a flow network or flow interface name.
3. Click a metric value or a metric label in the chart legend. A menu appears.
4. In the Drill down by… section, select a key. For example, in the Endpoints region, you can drill down on charts by peer IP addresses.
   You will navigate to a page that contains a table of metric values by key from a topnset. You can view up to 1,000 key values in a topnset.

   Note:

   For drill-down metric values, which are not polled automatically, you will see the snapshot of the global time interval, which includes a blue refresh icon and gray text that indicates when the metric or record query was last polled. To reload the metrics for the specified time interval, click the refresh icon in the Global Time Selector display.

When you see an interesting top-level metric about network activity on a Network capture or VLAN page, you can identify which devices are linked to that activity.

1. Click Metrics.
2. Click Networks in the left pane.
3. Click a network capture or VLAN interface name.
4. Click a network layer in the left pane, such as L3 or L7 Protocols. Charts that display metric values for the selected time interval appear. For most protocols and metrics, a Device table also appears at the bottom of the page.
5. Click the chart data, which updates the list to display only the devices that are associated with the data.
6. Click a device name. A Device page appears, which displays traffic and protocol activity associated with the selected device.

You can add drill-down metrics to charts on protocol pages and dashboards. When you drill down on a metric in the Metric Explorer, you can view up to 20 top key values in a chart for a specific time interval. A key can be a client IP address, hostname, method, URI, referrer, or more. For example, if your chart displays a total count for HTTP Requests, you can drill down by client to view the IP addresses that sent the most requests to your web servers.

1. Log into the Web UI on the Discover or Command appliance.
2. Navigate to a dashboard or protocol page.
3. Click the chart title and then select Edit.
4. In the Details section, click Drill down by <None>, where <None> is the name of the drill-down metric key currently displayed in your chart.
5. Select a key from the drop-down list.

   Note:

   If you have more than one source selected in your metric set, such as two devices, the sources are automatically combined into an ad hoc source group as you drill down. You cannot deselect the Combine Sources checkbox. To view drill-down metrics for each source, you must remove a source from the metric set and then click Add Source to create a new metric set.

   If drill-down metric data for a common key is available for all of the metrics in a metric set, the drill-down metrics automatically appear in the drop-down list, as shown in the following figure. If a drill-down metric in the list is grayed out, data is unavailable for all of the metrics in that metric set. For example, client, server, and URI data are available for both HTTP Requests and HTTP Responses metrics in the metric set.
   
   
6. You can filter drill-down metric keys with an approximate match, regular expression (regex), or exact match through one of the following steps:
   • In the Filter field, select the ≈ icon to display keys by an approximate match or with regex. You must omit forward slashes with regex in the approximate match filter.
   • In the Filter field, select the = icon to display keys by an exact match. In the Filter field, select the = icon to display keys by an exact match.
7. Optional: In the top results field, enter the number of keys that you want to display. These keys will have the highest values.
8. To remove a drill-down selection, click the x icon.

   Note:

   You can display an exact key match per metric, as shown in the following figure. Click the drill-down metric name (such as All Methods) to select a specific drill-down metric key (such as GET) from the drop-down list. If a key appears gray (such as PROPFIND), drill-down metric data is unavailable for that specific key. You can also type a key that is not in the drop-down list.