Running a search query returns a graph that shows the distribution of events over time. You can determine the display mode and contents of the graph. The graph has drilldown functionality, enabling you to zoom into any timeslot, and run the same search on that timeslot. It also enables you to hover over a bar or line graph to see the source of events and drill down to see the exact events in any log. You can also view the previous or next timeslot.
Defining the Graph
XpoSearch enables you to define what your graph looks like, as well as its contents, using the icons on the Graph Toolbar.
Defining Graph Display
You have the option of displaying your graph as a bar graph (the default) or a line graph. In the bar graph, a bar appears at each point in time where events were found to match your search query. The height of each bar is according to the number of events that occurred at the specific time. A bar does not appear at times when no events matching your search query occurred. A line graph shows how the number of events matching the search query changed from one point in time to the next.
To display your graph as a bar graph:
- In the Graph Toolbar, click the Bar Graph icon.
To display your graph as a line graph:
- In the Graph Toolbar, click the Line Graph icon.
Defining Graph Contents
You have the option of displaying your graph in a split view or summary view. In the split view, the number of bars or lines in a timeslot is equivalent to the number of logs that were the source of events in that timeslot; each bar or line represents the number of events in a single log source of events. In the summary view, a single bar or line represents all events from all log sources.
To display your graph in split view:
- In the Graph Toolbar, click the Split View icon.
To display your graph in summary view:
- In the Graph Toolbar, click the Summary View icon.
Viewing the Distribution of Results in Logs
You can hover over any bar or line in your graph to see the number of matching events that were produced by each log. You can then click any log in the chart, to view the log's events in the log viewer under the XpoLog tab. There, you can see the same information that is displayed as free text in the search result events, in column format.
Zooming In/Out of a Timeslot
You can zoom into any timeslot in your graph, so that you can see a more detailed breakdown of events over a smaller period of time. For example, a search that runs for a time period of seven days shows the distribution of events that match the search criteria, per day. You can then zoom into any timeslot (day) to see the distribution of events during that day, and you can zoom in further to see the distribution of events in a specific hour on that day. At any point, you can zoom out repeatedly until you reach the graph resulting from the time period that you selected for the search query.
To zoom into a timeslot:
- In the graph, in the timeslot which you want to zoom into, click the Zoom-in icon.
The zoomed-in timeslot is subdivided into smaller timeslots. The Zoom-out button appears, enabling you to zoom out to the previous display. The time period of the search is automatically changed to Custom.
You can repeatedly click the Zoom-in icon to see a more detailed distribution of the events.
To zoom out of a timeslot:
- In the graph, click the Zoom-out button.
You can repeatedly click the Zoom-out button until the graph is displayed for the time period that you selected for the search query. At this point, the Zoom-out button is no longer displayed.
Viewing the Previous/Next Timeslot
You can display directly from the graph, a graphical representation of the number of events that meet the search criteria in the previous or next timeslot.
To display the previous timeslot:
- Below the graph, on the left, click the Previous Timeslot icon.
To display the next timeslot:
- Below the graph, on the right, click the Next Timeslot icon.