Filter Results in the Navigate View

When conducting an investigation in the Navigate view, there are several methods available to refine the results displayed when meta key values are loaded in the Navigate view. The rest of this topic is focused on the basic methods of filtering data:

Note: By default, the Navigate view is disabled in Version 11.6 as the Filter Events Panel in the Events view provides this functionality. To enable the Navigate view, see Configure the Navigate View and Legacy Events View.

• Set the Time Range
• Set the Quantification Method and Sort Sequence of Meta Key Results
• Manage and Apply Default Meta Keys in an Investigation
• Drill into Data in the Navigate View Time Chart
• Drill into Data in the Values Panel

Set the Time RangeSet the Time Range

When conducting an investigation in the Navigate view, the time range options limit the results returned. You can select:

• A time range relative to the collection- ranges relative to the collection are based on the last collection time for data.
• A time range relative to the calendar.
• A custom date range.
• All data.

The selected Date Range is shown in the Navigate view tool bar as the Time Range label. By default the label is Last 3 Hours. The Time Range displayed in the timeline banner shows the first and last timestamp for the date range being used for the metadata.

Note: Time range is based on the Time Zone configured in the Profile Preferences panel as described in "Setting User Preferences" in the NetWitnessGetting Started Guide.

To select a built-in time range

1. Click the Time Range option in the Navigate view toolbar. The default time range is for the Last 3 Hours, but a different value from the selection list, for example, All Data or Last Hour, may already be selected and used as the label in the options panel.
   The Time Range selection list is displayed.
   
2. Do one of the following:
   • If you want to see all data, select All Data.
   • If you want to set a time range in minutes, hours, or days that is relative to the collection, select a value such as Last 10 minutes, Last 3 Hours, or Last 5 days.
   • If you want to set a time range relative to today, select Yesterday, This Week(Version 11.1), Last Week (Version 11.1), All Day, or a part of the day such as Early Morning, Morning, Afternoon, or Evening.
   • If you want to set a unique date range, select Custom in the Time Range menu and follow the procedure below.
     The selected time range is applied to the current results in the Values panel.

To specify a custom time range

1. Select Custom in the Time Range menu.
   Date selection options are displayed in the toolbar.
   
2. Within the time Start Date and End Date fields, do the following to specify the date and time:
   1. Click a date from the calendar.
   2. (Optional) Select the time from the Hour and minute fields or click Now. The time selection defaults to the current time of day.

Note: The value for start time in seconds always defaults to :00, and the value for end time in seconds always defaults to :59. For example, if you are using time to drill down into an issue, the drill time is interpreted as "HH:MM:00 - HH:MM:59."

3. To apply the range, click Go.
   The selected time range is applied to the current results in the Values panel.

Set the Quantification Method and Sort Sequence of Meta Key ResultsSet the Quantification Method and Sort Sequence of Meta Key Results

You can select the way results for each meta key are quantified and sequenced in the Navigate view.

Note: If meta entities (Version 11.1 and later) are used in meta groups, the results will show the top 20 values that matched any of the meta keys contained in the meta entity.

Each meta key section in the Navigate view contains an ordered list of values showing each meta key value (Value) and its count (Total). You can specify whether:

• The results in each meta key section are sorted based on Value or Total.
• The results are sorted in ascending or descending order.
• The values shown for each meta key are quantified by number of packets (Packet Count), number of sessions or logs (Quantify by Event Count) or by the size of events (Quantify by Event Size).

Note: If you have both a log decoder and a packet decoder for which you are viewing the metadata, the calculation of what is actually being counted is dependent on the type of key. If you select to Quantify by Packet Count and are looking at logs, the Navigate view output is the same output as if you had selected Quantify by Event Count (see Navigate View for details).

This image shows the Event Type meta key presented in order by Total in Descending order. The value with the greatest count of matches is presented first. The value failure audit has 71 matches and is listed first. The value logon has only one match and is presented last. The quantification method is Event Count.

This image shows the Event Type meta keys presented in order by Value in Descending order. The value names are presented in alphabetical order starting at the end of the alphabet. The value success audit is listed first. The value connect is presented last. The quantification method is Event Count.

To select the quantification method of meta key count and ordering of meta key results displayed in the Navigate view:

1. In the toolbar, select Event Count, Event Size, or Packet Count and choose one of the quantification options in the drop-down menu. The label for the menu displays the selected option.
   
   The current view is reloaded according to your selection.
2. In the toolbar, select Total or Value and choose one of the ordering methods in the drop-down menu. The label for the menu displays the selected option.
   
   The current view is reloaded according to your selection.
3. In the toolbar, select Ascending or Descending and choose one of the sort order options in the drop-down menu. The label for the menu displays the selected option.
   The current view is reloaded according to your selection.
   

Manage and Apply Default Meta Keys in an InvestigationManage and Apply Default Meta Keys in an Investigation

When analysts are conducting an investigation of captured data in Investigate, a default set of meta keys is loaded and displayed in a default sequence in the Navigate view > Values panel. The default content and sequence is based on the meta keys for the service being investigated. Analysts can specify the meta keys to display during navigation by selecting the default meta keys or by selecting a user-defined group of meta keys, which provides great flexibility to define meta keys. This can help to drill down more directly to the desired data and to reduce the load time by preventing the loading of meta that is not of interest in the current investigation.

Note: In Version 11.1 and later, wherever meta keys are used, you can also use configured meta entities.

If no custom meta groups are in effect, the Navigate view is displayed with the meta key visibility specified in the Default Meta Keys dialog. To optimize loading of meta keys in the Navigate view > Values panel, NetWitness does not open non-indexed meta keys by default. When you open a non-indexed meta key in the Values view, NetWitness begins loading values for that meta key. If the load time is excessive, the load of the meta key times out with a message. Title, values, and counts for non-indexed meta keys are not drillable in the Values panel. Additional labeling in Investigation identifies the non-indexed meta keys.

To select the meta keys to apply to your investigation, you can:

• Select the default meta keys.
• Select a set of meta keys, called a meta group.

Note: Investigate has built-in meta groups and user-defined meta groups. Once created, user-defined meta groups can be edited, deleted, exported for use on other services, and imported to the service you are investigating. All of these procedures are provided in a separate topic: Use Meta Groups to Focus on Relevant Meta Keys.

The Default Meta Keys dialog allows you to specify the default view and display sequence for meta keys during navigation in the Investigate > Navigate view for a specific service. For each key or for all keys, you can set the default view to:

• Hidden: Results for default meta key are hidden and are not available to load.
• Open: Results for default meta key are open with all values and counts displayed.
• Close: Results for default meta key are closed with only the meta name visible.
• Auto: The loading of default meta keys is controlled by the index level, which must be Indexed By Value.

When using the default meta keys, be aware that these can be modified for different services, and you may not be seeing the same set of default meta keys when navigating to a drill point on different services. If you do not see the expected data, you may need to change the initial view of the default meta keys.

When you change the initial state of default meta keys from within the Navigate view, the change persists for that service. When new keys are added to the custom index file for a Core service (for example, concentrator-custom-index.xml or decoder-custom-index.xml), the new keys are added to the default meta keys list. The changes made in the Navigate view apply only to the current service.

To specify that the initial Navigate view opens using default meta keys

1. Go to Investigate > Navigate.
2. Select a service and select Navigate.
3. In the Meta menu, select Use Default Meta Keys.
   If an investigation is already in progress, the data is reloaded in the current view and an icon highlights the selected option. If no data is loaded yet, the default meta keys are used for the next load.

Configure Default Meta Keys

To configure the default view of default meta keys in the Navigate view:

1. In the Navigate view toolbar, select Meta > Manage Default Meta Keys.
   The Manage Default Meta Keys dialog is displayed with the list of available meta keys for the service.
   
2. (Optional) To change the order of the keys, select one or more keys, and drag the values up or down through the list of keys.
3. Do one of the following:
   • (Optional) To change the default view for all meta keys, make sure that no keys are selected and in the toolbar, select .
   • (Optional) To change the default view for one or more keys, select the keys and in the toolbar, select .
     A drop-down menu of possible initial views for all default meta keys is displayed.
     
   • (Optional) To revert to the default view for meta keys as specified in the service index file, make sure that no keys are selected and in the toolbar, select > Auto.
     When you modify the default view for a non-indexed meta key, you cannot set the key to OPEN. If you change the default view for a group of meta keys to OPEN and some of the meta keys are non-indexed, the non-indexed meta keys revert to AUTO. As a result, the meta key is automatically loaded only if it is indexed, and non-indexed meta keys are CLOSED until opened manually.
4. Select one of the views.
5. To save the changes, click Apply.
   The meta keys displayed in the Navigate view are set to your specifications. If the default meta keys are hidden, values for the meta keys are not shown in the investigation at all. If the default meta keys are closed, the values for the meta keys are not loaded by default, but you can load individual meta keys manually in the Navigate view.

Drill into Data in the Navigate View Time ChartDrill into Data in the Navigate View Time Chart

The Time Chart visualization allows analysts to visualize activity over time. You can zoom into the data by selecting a time window then selecting the Investigate option. You can then reset the navigation to the time range that was in effect before zooming.

1. Go to Investigate > Navigate.
   The Time Chart for the current drill point and selected time range is displayed. You can hover over the time chart to display total number of events occurred at a specific time.
   
2. To highlight a period of time on the Time Chart, click over the desired time period and drag the mouse.
   The Time Chart is redrawn for the selected time range; however, the meta values are unchanged.
3. To drill into the data for the selected time range, click Investigate.​
   The URL is updated to reflect the time range override, and the Investigation options panel is updated to reflect the custom time range. The Time Chart is redrawn and the meta values are loaded for the selected time range.
4. To reset the Time Chart to the original time range, click Reset Zoom.​
   The URL is updated to reflect the original URL prior to zooming into the data, and the Investigation options panel is updated to reflect the time range selected before zoom. The Time Chart is redrawn for the selected time range and the meta values are loaded for that time range.

Drill into Data in the Values PanelDrill into Data in the Values Panel

NetWitness displays the activity and values for the selected service in the Investigation > Navigate view. To investigate data, analysts drill into data by clicking on a meta key or a meta value, which is treaty as a query. In the Values panel, each query is added to the breadcrumb data in the Values panel. This results in a breadcrumb at the top with a crumb for each query. You can edit the breadcrumb to insert or remove a query.

To drill into a subset of the metadata

1. Begin an investigation so that metadata is displayed in the Navigate view.
   
2. To drill down into the metadata, do any combination of the following:
   1. Click a meta key, for example, Service Type.
   2. Click a meta value, the blue text in the results. For example, OTHER.
      Each time you click a meta key or meta value, the investigation query pivots to a narrowed focal point, or drill point, in the data. At each drill point, the Values panel is updated and the new drill point is displayed in the breadcrumb. Below is an example of the first breadcrumb.
      
      This is an example of a long breadcrumb that does not fit in the toolbar. The last query that fits is followed by a drop-down menu that lists additional queries. To select a drill point within the overflow, click the overflow icon and a query in the drop-down list.
      

To add a query in the breadcrumb

In the breadcrumb, you can click any of the crumbs to display the Query menu. You can insert a new query before a crumb, and append a new query to the end of breadcrumb. After each edit in the breadcrumb, NetWitness refreshes the results.

To add a query in the breadcrumb:

1. Click a crumb.
   The Breadcrumb menu is displayed.
   
2. To add a query in the breadcrumb, select Append or Insert Before.
   The Create Filter dialog is displayed.
   
3. Create the Query as described in Create a Query in the Navigate and Legacy Events Views.

To edit a query in the breadcrumb:

In the breadcrumb, you can click any of the crumbs to display the Query menu. You can delete a crumb and edit a query in a crumb. After each edit in the breadcrumb, NetWitness refreshes the results.

To work with queries in the breadcrumb:

1. Click a crumb.
   The Breadcrumb menu is displayed.
   
2. To edit a query in the breadcrumb, select Edit.
   The Create dialog is displayed with the selected query open for editing.
   
   
   
3. Edit the fields as described in Create a Query in the Navigate and Legacy Events Views.

To quick search within a meta key

1. Move the mouse over a meta key section and click the magnifying glass.
   The Quick Search form, which contains a comparator and an optional operand for the search, is displayed.
   
2. (Optional) If you want to close the search form, click the magnifying glass again.
3. Select the operation from the drop-down list on the left and type the text value to search for. Then click Drill to perform the execution.
   The metadata for that meta key is used to drill down in the current metadata.

To view meta key information and copy meta values for a meta key

1. To view the key name, index level set for displaying the meta key, and the default view set for the meta key, click the drop-down menu next to the meta key. This figure shows the drop-down menu for Version 11.1 and later.
   
2. Select Meta Key Info.
   The Meta Key Info dialog is displayed.
   
3. When finished viewing, click .
4. (Optional for Version 11.1 and later) To view meta values found for a meta key in a simple list that you can copy, click the drop-down menu next to the meta key.
   The Export Values dialog is displayed.
   The Version 11.1 dialog displays a list of values with one value per line.
   
   The Version 11.3 dialog allows you to select the method of separating values: either New Line or CSV.
   
5. Select the values that you want to copy, and click Export Values.
   The values are copied to the local clipboard and you can paste them into a file to save or share them.
6. To close the dialog, click Close.
7. (Optional) If you want to hide the results for the meta key in the current drill point, click the drop-down menu next to the meta key and click Hide Results.

To display events associated with a meta value

The Legacy Events view provides additional details for an event in two different views: Events List and Detail View.

1. In the Navigate view, drill into metadata that is the focus of your investigation.
2. Click the count (the number in green) next to a blue meta value.
   The Events view corresponding to the current drill point is displayed.
   The operations that you can perform in the events view are described in Reconstructing and Analyzing Events.

To search for specific events associated with a meta value

1. In the Navigate view, drill into metadata that is the focus of your investigation (click a meta value or add a query).
2. Type a search string in the Search box and press Enter or click Search.
   You can also select and set search mode preferences. See Search for Text Patterns in the Navigate and Legacy Events Views for detailed search information.
   The Events view opens in a new tab and shows the search results. If you do not see the search term highlighted, click Show Additional Meta. Your time range selection and drills (queries) carry forward to the Events view.
   

To view a selected meta value in RSA Live

1. In the Navigate view, drill into metadata that is the focus of your investigation.
2. Right-click a meta value (the text in blue).
   The Meta Value drop-down menu is displayed.
3. To look up the meta value in RSA Live, select Live Lookup.
   The Live Search view is displayed with the meta value entered in the Generated Meta Value(s) field, and ready for a search.

   

To refocus the investigation in a drill point:

1. Right-click a meta value (the text in blue).
   The Meta Value drop-down menu is displayed.
   
2. Choose one of the refocus options.
   The drill is refocused according to your choice.

To look at a specific count in a new tab:

To view a count for a meta value in the Legacy Events view or the Events view, right-click a count for a meta value (the green number following the blue meta value).
The context menu is displayed.