Filtering data and saving filters in the investigation dashboard

About this task

You can filter data in the entire investigation dashboard, and in an individual chart. You can drill down from the Results Table into related information.

You can save filters for your future use. When you save a filter set, you choose if you want to share it, and choose the roles that you share it with.


  1. Use the rules and syntax to filter data. All of these are relevant for both the Details and Summary tab, except where noted.
    • To match an exact phrase, use double quotation marks around the search terms. For example, “Profiling Alert List” returns entries for Connection Profiling Alert List but not for Profiling List Alert.
    • To match all specified search terms, separate the terms with a space. For example, Hadoop getlisting returns any entries that contain both Hadoop and getlisting in any location or sequence.
    • To match any specified search terms, separate the terms with OR or a vertical bar (|). For example, Hadoop OR getlisting returns any entries that contain either Hadoop or getlisting in any location.
    • To exclude a specified search term, use NOT or a period (.). For example, NOT Hadoop does not return any entries that contain Hadoop in any location.
    • Wildcards are supported by using asterisks (*) at the beginning or ending of a string. For example, 10.10.70.* returns any entries with the string 10.10.70. followed by any additional characters.
    • Search rules can be used in combination. For example, 2016–5-08 (19.*|20.*) returns results in the time range of May 8 between the hours of 19:00:00 – 20:59:59.
    • To match an exact phrase in a specific column, enter "field name=value", for example "DB USER=user123". This search syntax is the only case-sensitive syntax. In the Details tab, you can also use this search for columns with numeric values with search values of < >. For example, "Total Instances>1". This is particularly userful when there results on multiple pages and you cannopt see the full list of possible values.
    Adding filters changes each view based on the RefFilter specified for the view. Current filters appear in the menu bar. Each one can be cleared by clicking its X.
  2. Refine search results with any of the following methods:
    • Select specific filters based on the facets list:
      Enterprise search filters
    • Click the x or y-axis headers of a chart.
    • Click an individual search result in the Results Table:
      Enterprise search filter by cell
      Note: You can select one or more rows and right-click one of the server/DB user/Client IP cells to add the them to an existing group, or to create a new group.
  3. Drill down by individual results by right-clicking on specific search results and exploring related outliers, errors, or violations, or viewing one of several available drill-down reports.
  4. To save a filter set, click Filters > Save. Provide a name for the filter and mark it as Private or click Share with to share the filter with specific roles. To save as your default filter set (dashboard always opens with these filters), select Set as default filter. When you are finished, click OK to save the filter.