Query Viewer Attributes

The following fields in the Query Viewer section are attributes to specify when creating a new query viewer.

Query Viewer Attributes

Query Fields

Description

Name

Required: Enter a name for the query viewer. Spaces and special characters are allowed.

Query

Required: For first-time query viewer configuration, specify the base query used in this query viewer.

  • Select the query using the “Select a Query” drop-down menu. The arrow displays the Queries resource tree.

  • Alternatively, if the resource tree has too many subgroups to traverse and you know the query by name, see Using the Advanced Selector While Editing Resources.

Note: If you are editing an existing query viewer, the Query field is not editable. If you want to use a different base query, create another query viewer.

Refresh Data After

Set an amount of time (in minutes or hours) after which the query viewer automatically runs again and shows new data based on that most recent run. The query viewer is regularly refreshed based on the specified refresh time period. The default for this setting is after every 15 minutes.

To change this default:

  1. Click the field to activate the settings.

  2. In the left-hand field, enter a numeral, and in the right-hand drop-down menu, select minutes or hours.

Query Time Out

Define a time out limit in which the query must return results. If the query does not complete and sends no results within the specified time out period, the Manager stops running the query.

By default, the time out is 300 seconds (5 minutes). If you do not specify a Query Time Out in the Attributes tab, this time out of 5 minutes applies, even if the Query Time Out field displays None.

Setting a time out limit is good practice especially if the event rate (events per second or EPS) is unusually high, start/end time range is large, or the query is complex. Time outs can help guard against infinite or long running queries that impact system performance. Although this is less of an issue with query viewers since they are designed to minimize impact on system performance, this can still be an issue in some scenarios.

Setting time outs can be a useful troubleshooting technique for new queries, or existing queries in new scenarios, for example where event counts spike higher.

Default View

The Default View attribute determines how the result data are displayed when you double-click the query viewer to open the results in the Viewer panel.

Define the default (double-click) view format for this query viewer. The choices are to show data as:

  • Table (this is the default)

  • Pie chart

  • Bar chart

Double-clicking a query viewer in the Navigator displays result data in the format set here.

If you choose Pie Chart or Bar Chart as the default view format, choose fields to use for the Values Column (to plot the y axis points on a bar chart or slice sizes on a pie chart) and Points Labels column (to plot the x axis labels on a bar chart or slice labels on a pie chart). The Values Column and Points Labels are also described in Viewing Query Viewer Results.

Values Column

The Values field applies to bar charts and pie charts. This setting provides fields in the query result that contain data types. The value chosen is used as the numbers by which to plot the vertical y axis points on a bar chart or the slice sizes on a pie chart.

Values typically represent an unknown set of values, like a count. A common example of numeric data appropriate for values is a time like HourOfDay or a count like Count(Event ID).

Point Labels Column

The Point Labels field applies to bar charts and pie charts. This setting provides fields in the query result that contain non-numeric data types. The point labels are used to plot the horizontal x axis labels on a bar chart or the slice labels on a pie chart.

Examples of non-numeric data types appropriate for point labels are timestamps, strings such as are used for event names, and different types of addresses such as IP or MAC addresses. Point labels are typically a known set of limited values (like hours in a day denoted by timestamps).

Setting the following attributes (Start Time, End Time, or Row Limit) in the Query Viewer overrides these settings in the base query. (See Query about defining the base query in the Query attribute.)

Start Time

Specifies the starting point for the data gathering.

A drop-down menu provides values to select based on Velocity Templates (such as $Now, $Now - 1d, and so on). You can also provide a timestamp such as: 27 Jul 2017 16:00:00 PDT.

For more on timestamps and timestamp variables, see Timestamps, Timestamp Variables, and Variables.

End Time

Specifies an end point for the data gathering.

A drop-down menu provides values to select based on Velocity Templates (such as $Now, $Now - 1d, and so on). You can also provide a timestamp such as: 28 Jul 2017 16:00:00 PDT.

For more on timestamps and velocity references, see Timestamps, Timestamp Variables, and Variables.

Row Limit

Set the row limit for the data table.

The default for all new base queries is the maximum allowable, which is 10,000 rows.

If the default is not changed in the base query, and no limit is specified here in the query viewer, the result shows up 10,000 rows of data.

Entering data in the Common and Assign sections is optional, depending on how your environment is configured. For information about the Common and Assign attributes sections, as well as the read-only attribute fields in Parent Groups and Creation Information, see Common Resource Attribute Fields.