Facet Search

A Facet filters results of an IQL query in a pane adjacent to the main results table of an IQL query. A facet is an automatic filter that saves time configuring a search with the GUI.

The facet options are results-based attributes from a sample of the events found in the initial search. The facets will change based on the data in the records found by the search.

Faceted Searches are useful for getting a quick multidimensional view of the results to identify the most or least common elements.

You can enable Facets when:

• Adding queries to an investigation

• Adding a playbook to an investigation

Enabling facet search, may increase the time to process the query.

Refine results using facet search

You can further refine your search on the results from the original query using facet search.

To refine the results in a facet search:

1. Click Investigations.

2. Click Select next to the investigation you want to open.

3. Click View Results for the facet search query you want to refine. The Refine Search pane displays a breakdown of the query results.

   

4. Add or remove the filters based on your requirement. The selected filters appear under the original search query. You can also clear the selected filters by clicking Clear All .

5. Click Create New Query.

   

6. Create a new investigation or add the query to an existing investigation. By default, the new query is added to the current investigation.

   Create a New Investigation	Select this option to create a new investigation. Enter the Investigation Name and Description. The default name for new investigations is the first and last name of the user creating the investigation as well as a date stamp of when the investigation was created.
   Add to Existing Investigation	From the Choose Investigation dropdown, select and investigation.

7. Click Add Query. The query and all the included and excluded facets will be shown in the investigation details page.