Skip to main content

Facet

Overview

The facet is located on the left side of Events Search (Data Lake -> Events Search) and pages under EventWatch section.

The facet acts as a filter allowing information to be focused on or removed from results on the page. Information in the facet is presented first by the field attribute. Results for the field attribute are presented underneath in order of the number of times that value appears in the result set, the count.

In this section these three components are referenced:

  • attribute: how data is grouped: e.g. "Tags"
  • value: the values in the attribute field: e.g. "WARNING", "INFO", "sshd", "hb", "systemd"
  • count: the number of times that value appears in the set: e.g. "79776", "32494", "21715", "5784", "5223"

Three State Selection

Next to each value that appears in the attribute group there is a checkbox. This checkbox has three states:

  • open: neutral state, this does not impact the search result.
  • checked: focus, results that appear must include one of the checked values in the attributes.
  • crossed-out: exclude, results that appear must not include this value regardless of any other checked values.

Increasing and Decreasing Results

The "plus" and "minus" icons next to the attribute increases or decreases the number of listed values by five (5). The maximum that facet is set to show fifty (50) values.

Relationship Between Attributes

Checked boxes between attribute types act like logical and statements, while checked boxes in the same attribute act as logical or statements.

Crossed-out values are removed from all results regardless of checked boxes elsewhere.

Clicking the "search" button (bottom right corner, the blue one) will perform a search using the checked/crossed-out attributes in the facet.

Reset

Pressing the "reset" button (leftmost) in the facet toolbar will clear all the selected options as well as the text in the search bar.

Facet Maintenance

For each page there is a default facet configuration. Users can, however, create their own facet views and save them for later use.

Modifying the Facet

Next to the "search" and "reset" buttons on the bottom of the facet there is an "edit" button. Clicking this "edit" button changes the facet window into an edit mode.

In this mode, you can:

  • delete an attribute
  • add an attribute
  • change the order in which the attributes appear

Delete

To delete an attribute, click the "delete" button (trash icon) to the right. It will disappear and maintain the order.

Add

On the bottom of the list are two fields. The first field is the Title to call the attribute to add. The second field is the dot notation of the address.

When the fields are correct, click "+" to add to the list.

Order

The list of attributes is draggable. You can change the order of the list and click "APPLY" to set.

Loading and Saving a Facet

Facet configurations can be saved for future use.

Saving the Facet

You can save a facet by clicking the "save" button in the toolbar at the bottom of the facet. Click the "save" button, provide a short name and description, and then click "SAVE".

Saved facets can also be viewed on Data Table->Search Facets page.

Exporting a Facet

Click the "export" button in the toolbar at the bottom of the facet to export the current search as a ".csv" file.

Page last updated: 2023 Aug 10