After records are sent to an Explore appliance, you can query for those stored records from either the Discover or Command appliance. In addition, you can save record queries to run at a later time.
You can query records that are stored in the Explore appliance from multiple areas in the ExtraHop Web UI. The following figure shows the main records page, that you access by clicking Records from the top menu.
- Click Records from the top menu to start a new record query for all records stored on the Explore appliance.
- From the records page, click Record Queries in the navigation bar or Saved Record Queries in the left pane to access any saved queries or start a new query.
- Type a search term in the global search field at the top of the screen and click Search Records to start a query across all stored records.
- Click the Records icon from the panel of Action icons on an application or device protocol page that has built-in record formats. This option queries for records that match the selected metric source and protocol.
- Click the Records icon in the
left-hand column from any drill-down metrics page. This option queries for records
that match the selected metric source, protocol, and detailed stat value.
- Click the Records icon from a chart widget or on a metric drill-down page.
No matter where you start your query from, you might have a large set of records results. You can narrow down your results by applying filters to find the specific record you need.
There are a number of ways you can filter your record query results to find the exact transaction you are looking for. The sections below describe each method and show examples you can start with to familiarize yourself.
If you are trying to filter records by simple criteria (say, if you want all HTTP transactions from a single server that generated 404s), you can create a simple query. For simple queries, start by clicking Records from the top menu to get to the main Records page, and then add a filter in one of the following ways:
- Add a filter or refine results from the left pane
- Add a filter from the trifield
- Add a filter directly from record results
When you click Records from the top menu, all of the available records for your selected time interval appear. You can then filter from the left pane to refine your results.
The Record Type drop-down menu displays a list of all of the record types that your Discover or Command appliance is configured to collect and store.
The Group By drop-down gives you a list of fields to further filter the record type by.
The Refine Results section shows you a list of record types that are currently on the Explore appliance with the current number of records in parenthesis.
When you click Records from the top-level navigation, all of the available records for your selected time interval appear. A set of three filters (or the trifield) is available below the chart.
Select a field from the Any Field drop-down (such as Server), select an operator (such as the equal sign (=)), and then type a hostname. Click Add filter, and the filter is added above the filter bar.
Your results only show records that match the filter; in our example this means we only see results for transactions that are for the server named web2-nyc.
You can select any field entry displayed in either table view or verbose view in your record results and then click the pop-up operator to add the filter. Filters are displayed below the chart summary (except for the record type field, which is changed in the left pane).
For advanced queries, you can create and modify complex filters by clicking the pencil icon next to any filter that you have added.
- You can specify multiple criteria with OR (Match Any), AND (Match All), and NONE operators
- You can group filters and nest them to four levels within each group
- You can edit a filter group after you create it
- You can create a descriptive name to identify the general purpose of the query
Create a complex filter with AND and OR operators
The following example shows how you can create an advanced query to filter your records with complex criteria. We will create a filter to return results for all HTTP records that include two URIs plus a status code greater than or equal to 400 or a processing time greater than 750 milliseconds.
|Important:||To try this example on your own Discover appliance, you must have HTTP traffic on your network.|
- Click Records from the top menu.
In the left pane, select HTTP from the Refine Results
section. Only available records are displayed in the Refine Results section.
This step ensures that you have available records for this query.
Note: Record types do not appear as filters; they are displayed in the left pane.
- From within your record results, click an entry for a web server on your network in the URI column. Then, click the equal sign (=) to add the filter. We will select a URI called assets.example.com. The filter is now saved and appears beneath the chart.
Click the pencil icon next to your saved filter to open the Advanced
Filter editor. The Advanced Filter window opens with the
Filter Definition already showing the URI you added.
- Click Add Filter to add a second URI for another web server.
- Select URI, the equal sign (=), and then enter another URI. We will add media.example.com.
Under Filter Definition, change Match
Any to Match All. Match Any is an AND
operator and will let us search for criteria that matches both of these URIs.
In the next steps, we will add a group of criteria that applies specifically to the URIs we added.
Click Add Group.
- Click the Any Field drop-down and select Status Code.
- Select the greater than or equal to (≧) symbol.
- Type 400 in the number field.
Click Add Filter inside the white box to add another
filter to the group.
- Click the Any Field drop-down and select Processing Time.
- Select the greater than (>) symbol.
- Type 750 in the number field.
In the Custom Display Name field, type a descriptive name
to make the filter easy to identify on the results page, otherwise the display
name shows the first filter and the number of other applied rules:
We will type “Slow and Broken Web Assets” in the field.
- Click Save.
Next stepsYou can click Save Query as... from the top right of the page to save your criteria for another time.