Facet Search
A Facet filters results of an IQL query in a pane adjacent to the main results table of an IQL query. A facet is an automatic filter that saves time configuring a search with the GUI.
The facet options are results-based attributes from a sample of the events found in the initial search. The facets will change based on the data in the records found by the search.
Faceted Searches are useful for getting a quick multidimensional view of the results to identify the most or least common elements.
You can enable Facets when:
|
Enabling facet search, may increase the time to process the query. |
Refine results using facet search
You can further refine your search on the results from the original query using facet search.
To refine the results in a facet search:
-
Click Investigations.
-
Click Select next to the investigation you want to open.
-
Click View Results for the facet search query you want to refine. The Refine Search pane displays a breakdown of the query results.
-
Add or remove the filters based on your requirement. The selected filters appear under the original search query. You can also clear the selected filters by clicking Clear All .
-
Click Create New Query.
- Create a new investigation or add the query to an existing investigation.
By default, the new query is added to the current investigation.
Create a New Investigation Select this option to create a new investigation. Enter the Investigation Name and Description.
The default name for new investigations is the first and last name of the user creating the investigation as well as a date stamp of when the investigation was created.
Add to Existing Investigation
From the Choose Investigation dropdown, select and investigation.
-
Click Add Query. The query and all the included and excluded facets will be shown in the investigation details page.
