Begin an Investigation in the Navigate or Legacy Events View
The Navigate view is the default view for Investigate unless you have selected a different view as your opening view. This user preference is set on the application level as described in Configuring NetWitness Investigate Views and Preferences. In the Navigate view and Legacy Events, you are hunting for events of interest based on a query. In the Navigate view you can also refine results by clicking on meta keys and meta values. When you find interesting events, you can take a closer look at the event in the other Investigate views.
To begin an investigation in the Navigate view or Legacy Events view, a service must be specified.
- Investigate opens the Navigate view or the Legacy Events view with the user-specified default service selected.
- If no default service is currently specified and the service id is not in the URL, Investigate presents a dialog for selecting the service or collection to investigate.
- When a service is selected manually or by default in the Navigate view or Legacy Events view, you can change the service or collection to investigate by selecting the service name in the toolbar. Investigate presents the dialog for selecting the service to investigate.
Note: The Archiver service does not appear in the Navigate view to minimize user experience of slow performance when performing investigations. The Archiver is available in the Legacy Events view for log exports and enhanced search capabilities.
With a service or collection selected, Investigate is ready to load data for the service or collection. It is recommended that you also select a time range so that results load faster. Several settings in the Navigate view and Legacy Events view Settings dialog or the Profiles > Preferences panel > Investigations tab affect the loading process: Threshold, Max Values Results, Show Debug Information, Autoload Values, and Optimize Investigation page loads (see Configuring NetWitness Investigate Views and Preferences).
Note: In the Legacy Events view data loads automatically. If you specified Autoload Values in the Navigate view preferences, Investigate populates the data automatically. Otherwise, you must select Load Values. Investigate populates the metadata in the Navigate view Values panel and results become visible almost immediately.
The rest of this topic provides instructions for beginning the investigation of data on a service.
Note: Only users with the administrator role can create a collection, and only the creator of the collection is able to investigate a collection.
After loading data in the Navigate or the Legacy Events view, refine results, reconstruct and analyze events, then download and act upon results (see Refining the Results Set and Reconstructing and Analyzing Events and Downloading and Acting Upon Results).
Begin an Investigation (No Default Service)
- Go to Investigate > Navigate or Legacy Events.
The Investigate dialog is displayed. - Double-click a service or select a service, usually a Concentrator, and click Navigate.
The data loads automatically in the Legacy Events view. If you are working in the Navigate view, the resulting panel displays the activity for the selected service, but the data is not loaded automatically. - (Recommended) Select a specific time range so that results load faster.
- If you want to modify investigation options before loading, you can create or modify a custom profile, apply a different time range, create or apply a meta group, and perform a custom query as described Refining the Results Set. You can also modify options at any time during the investigation.
- To load data in the Navigate view, click .
The data for the selected service begins loading.
With the service selected and data loaded, you are ready to begin analyzing the data.
Set or Clear the Default Service
You can set the default service and clear the default service in the Investigate a Service dialog.
- Click the service name in the toolbar.
The Investigate dialog is displayed. - Select a service on the Services grid, and click .
The service becomes the default, (indicated by Default in parentheses after the service name). - To clear the default service, select the default service in the grid, click , and click Cancel to close the dialog.
No default service is set.
Note: Clicking cancel does not cancel your selection of the default service. It closes the dialog without navigating to the currently selected service in the grid. Setting a default service that is different from the service currently being investigated, does not refresh the Navigate view. You must explicitly select and navigate to a different service.
Begin an Investigation (Default Service Specified)
- Go to Investigate > Navigate or Legacy Events.
If the Autoload Values setting is set to off, the Navigate view is displayed with the default service selected, and ready to load data. If the Autoload Values setting is on, the values are loaded as shown in Step 3. In the Legacy Events view, the data is loaded automatically. - If you want to modify investigation options in the Navigate view before loading, you can create or modify a custom profile, apply a different time range, create or apply a meta group, and perform a custom query.
- When ready, click .
The values for the service are loaded in accordance with the selected options. With the service selected and data loaded you are ready to begin analyzing the data.
Change the Service or Collection to Investigate
- In the Navigate view or the Legacy Events view, click the service name at the top of the options panel.
The Investigate dialog is displayed. - Double-click a service or select a service and click Navigate. The resulting panel displays the activity for the selected service.
If the Autoload Values setting is on, the values are loaded as shown in Step 3. Otherwise, the Navigate view is displayed with the default service selected, and data ready to load. In the Events view the data is loaded automatically. - When ready, click .
The values for the service begin loading in accordance with the selected options.
With the service selected and data loaded you are ready to begin analyzing the data.
Investigate Workbench Restoration Collections
This procedure enables administrators to select content from an existing collection to reprocess for further investigation. This applies to Decoders that use Workbench services.
Note: Only a user with administrative privileges can create a collection, and you can view only those collections that you created.
To reprocess data for further investigation:
- Go to Investigate > Navigate or Legacy Events.
The Investigate dialog is displayed. - Select a workbench service and workbench name that you want to investigate.
- Click Navigate to perform an investigation on the selected workbench service.
Click Cancel to select a different workbench service to investigate.
The Investigation view is displayed. With the collection selected and data loaded, you are ready to begin analyzing the data.