Views:

Learn about the actions available for your query results.

Action
Description
Export query results
Click export_button=GUID-C683DEEE-C19C-484D-A5B1-4CA9D1794756=1=en-us=Low.jpg and select from the drop-down menu to export up to a maximum of 100,000 query results in CSV or JSON format.
Note
Note
You can export displayed results based on the view you selected from the View drop-down menu.
  • Standard view: This view type exports data using the raw_log field. All fields are contained within a single cell (column) in the exported CSV file.
  • Custom view: This view type exports data based on the user-defined column configuration. Each field appears as a separate column in the exported CSV file.
Import query views
Click View and select Import Views to import one or more JSON files containing views.
Switch between query result views
Click View and select a view:
  • Standard View: The default view. Displays only the Logged column.
  • Column: Displays fields as user-defined columns.
  • Field groups: Organizes fields into user-defined groups. The field group view includes the preconfigured Recommended Field Groups view.
Create custom views
On the Data Grouping panel, right-click any field to start creating a custom view.
You can add or remove fields from custom column views by right-clicking the field and selecting Add to Column View or Remove from Column View.
View the data grouping and matched events of your query result detections
On the Data Grouping panel, click expandIcon=GUID-20231214145353.png to expand any field and view the matched events from your detections.
Note
Note
Displayed values for each field in the Data Grouping section are aggregated from fields, and are not raw record counts. Elements from each field are expanded and counted individually during aggregation.
  • For example, if a field contains two records with array values such as the following: record1: [a,b] and record2: [a,c], then Data Grouping displays 3 values from 2 records due to array expansion. The value a appears twice, b appears once, and c appears once.
View events in your query results
Click expandIcon=GUID-20231214145353.png to expand any event and view the detected data.
Related information