Search queries executed by XpoSearch return the following:

A graphical presentation of matching events over time
Distribution over the multiple log sources
The matching log events from all relevant logs

Analyzing Graphical Distribution of Search Results

XpoSearch returns a graph that shows the distribution of events over time. You can choose how to display the graph and what to show in the graph. You can also view the distribution of the results in a log, zoom in or out of any time slot, and view the previous or next timeslot.

Defining Graph

XpoSearch enables you to define what your graph looks like, as well as its contents, using the icons on the Graph Toolbar.

Defining Graph Display

You have the option of displaying your graph as a bar graph (the default) or a line graph. In the bar graph, a bar appears at each point in time where events were found to match your search query. The height of each bar represents the number of events that occurred at the specific time. A bar does not appear at times when no events matching your search query occurred. A line graph shows how the number of events matching the search query changes from one point in time to the next.

To display your graph as a bar graph:

In the Graph Toolbar, click .

To display your graph as a line graph:

In the Graph Toolbar, click .

Defining Graph Contents

You have the option of displaying your graph in a split view or a summary view.

Viewing Distribution of Results

Viewing Results in Log

Zooming In/Out of a Timeslot

You can zoom into any timeslot in your graph, so that you can see a more detailed breakdown of events over a smaller period of time. For example, a search executed for a time period of seven days shows the distribution of events that match the search criteria, per day. You can then zoom into any timeslot (day) to see the distribution of events during that day, and you can zoom in further to see the distribution of events in a specific hour on that day. At any point, you can zoom out repeatedly until you reach the graph resulting from the time period that you selected for the search query.

To zoom into a timeslot:

In the graph, in the timeslot which you want to zoom into, click the zoom in icon .
The zoomed-in timeslot is subdivided into smaller timeslots. The button appears, enabling you to zoom out to the previous display. The time period of the search is automatically changed to Custom.
You can repeatedly click the zoom in icon to see a more detailed distribution of the events.

To zoom out of a timeslot:

In the graph, click the button.
You can repeatedly click thebutton until the graph is displayed for the time period that you selected for the search query. At this point, the button will no longer appear.

Viewing the Previous /Next Timeslot

You can display the previous or next timeslot directly from the graph.

To display the previous timeslot:

Below the graph, on the left, click the icon.

To display the next timeslot:

Below the graph, on the right, click the icon.

Analyzing Search Result Events

Expanding/Collapsing All Events

XpoSearch enables you to view detailed stack trace information of all resulting events, provided that the events have stack traces. This feature makes it possible for you to see the cause of any event. You can also close the stack traces of all events.

To expand all events:

In the Events toolbar, click the Expand Events icon .

To collapse all events:

In the Events toolbar, click the Collapse Events icon .

Enabling/Disabling Analytics of All Events

By default, while XpoSearch searches for all events that match your search query, it also performs analytics on all events, colorcoding the fields according to their severity, and displaying the severity of the event. You can disable analytics, so that XpoSearch only performs the search.