Working with the search interface

The Search page lets you search through the data gathered and collated by DNIF.

This article introduces you to the various elements of the Search interface and the query directives you can use to work with this interface.

Elements of the Search Interface

Searhc interface in the DNIF web console

In the above image, elements on the interface are labeled using numbers and are explained in the table below:

Sr.No. Element Description
  • In this text field, enter your query and press Return to execute it.
  • The SEARCH field makes writing DNIF Query Language (DQL) queries easy by automatically suggesting syntax help and prompting known field names.
  • Use Shift + Return to initiate a pipeline to write a query or a series of query functions, query functions are separated by the DNIF pipe operator >>.
  • Alternatively, for a pipeline, you can use the >> (DNIF pipe operator). For example, _fetch * from event limit 10 >> _limit 5
2. Scope Selector
  • Allows picking a scope name to direct your query to a specific deployment of a customer.
  • For a multi location / client / environment deployment, it enables toggling between each from a single pane of glass.
  • If this is your only (standalone) deployment of DNIF then you may see a single scope in the drop down.
3. Date Selector
  • Allows you to select from a list of preset date ranges.
  • Lets you set a custom date and time range.
  • You can use the $Duration field in the _fetch query function to override the date selector.
4. Sidebar
  • Lets you refine your search results by filtering fields that are not required.
  • Allows you to change your field view parameters, these view parameters are registered on the browser only.
5. Result Set or Data Stack
  • Shows the outcome of the query, allows you to switch between outcomes of individual query functions.
  • Contains options to further process the outcome on the information in the data stack limited to that query.
6. Save Query
  • Allows saving your query for reuse, all the query functions until the current query function will be saved.
  • You can save your queries under a name and reuse them using the syntax %name_of_saved_search in the query field.
7. Download Results Allows you to download the current data stack in the JSON, CSV, and Excel formats.
8. Options The Options menu includes options to create:
  • Event stores
  • Profiles
  • Context menus
Event stores are used to manually upload and store logs / events or any static data in order to enable retrospective analysis. Events stores are perfect for static dataset analytics.

Profiles let you upload required contextual data and set up a baseline, profiles are used in several query directives like _store, _checkif lookup and _retrieve.

Context menus help you execute queries for performing validation checks or responses on a particular field.

NOTE: DNIF uses the DNIF Query Language (DQL) as the abstraction layer for DNIF users. If you’re looking to get started with DQL, we strongly recommend that you first familiarize yourself with the DNIF Query Language.

Query Directives

DQL, with a varied list of query functions, allows you to query, process, evaluate, and transmit data from the abstracted DNIF web interface itself. The primitives for facilitating this are called query directives.

Query directives allow the user to implement different functionalities when searching for data. They can be categorized into:

  • Inward query directives
  • Process query directives
  • Outward query directives

Inward Query Directives

Query Directive Description
  • Returns data from the data store instance or cluster.
  • Allows filtering data based on query parameters.
  • Allows grouping and aggregation of data.
  • Enables tagging for correlation.
_retrieve Returns data from a stored file descriptor.

Process Query Directives

Query Directive Description
  • Allows applying conditional logic to the data in the data stack.
  • Enables comparison of integer, string, or date or time data types.
  • Allows looking up a stored file descriptor for two or three dimensional comparators.
  • Enables enrichment of data using third party feeds via API calls.
  • Integrates with third party APIs for referencing queries.
  • Adds new fields to the data stream after enrichment.
  • _agg
  • Groups events from the data stack.
  • Provides multiple aggregation capabilities like count and statistics.
  • Allows four dimensional sort capabilities.
  • _sort
  • Provides sorting capabilities for the existing data stack.
  • Performs numeric and alphanumeric sorts.
  • Allows ascending and descending sorting.
  • _limit Limits the number of rows returned (in the result set) to the number specified.

    Outward Query Directives

    Query Directive Description
    • Enables interaction with workflow components like reports, templates, and third party plugins.
    • Enqueue reports on the reporting queue.
    • Interacts with third party applications using APIs.
  • Writes the data stack into a file descriptor.
  • Allows writing to a file descriptor, stored either on a disk or in the memory.
  • Provides storage functions like replace, append, find, and replace
  • _raise
  • Triggers modules and incidents from a filtered dataset.
  • Creates an alert and attaches the alert with a module name and description.
  • Sends instant notifications or alerts based on the insights gathered from the data.
  • Allows notifying the required user groups or individual users.