Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

Working with Queries

In This Section:

Running Queries

Configuring Query Defaults

Working with the Favorites List

Working with the Results Pane

Creating Custom Queries

SmartLog lets you quickly and easily create log queries. The query results show in the Results pane. SmartLog comes with many predefined queries that are ready to run right out of the box. You can create your own custom queries and save them for future use.

Running Queries

You can run a SmartLog an existing query or create a custom query.

To run a query:

  • Click Favorites and select a predefined or custom query.

    Or

  • Click in the Query Definition field and select a recent query.

To create and run a query:

  1. Click in the Query Definition field.
  2. Enter or select query criteria.

    The query runs automatically. As you add more criteria, results are updated dynamically.

To manually refresh your query:

Click the Refresh icon.

To continuously refresh your query (Auto-Refresh):

Click the Auto-Refresh icon. The icon is highlighted when you enable Auto-Refresh.

The query updates every two seconds while Auto-Refresh is enabled. If the number of logs is greater than 20 in any two-second period, logs are aggregated, and a summary view shows. To see all logs that have been aggregated in a specific time interval, click View.

To stop refreshing your query:

 

Click Auto-Refresh icon. The icon is not highlighted when you deactivate Auto-Refresh.

Configuring Query Defaults

You can use the Query Settings to:

  • Define the default query that runs when you open SmartLog
  • Set the number of items that show in the Top Results pane.
  • Sets the time, in seconds, that the Top Results show after running a query.

To define the default query:

  1. Go to Menu > Tools > Query Settings.

    The Query Settings window opens.

  2. Enter a query (using the query syntax) in the Default Query field.

    Tip: Select a query or Define a query in the Query Definition field. Then copy and paste it into the Default Query field.

    If no default query is specified, SmartLog runs the All Records query.

  3. Click OK.

To configure the Top Results:

  1. Go to Menu > Tools > Query Settings.

    The Query Settings window opens.

  2. In the Maximum top results field, enter the number of results to show (default =10).
  3. In the Show top results after field, enter the time interval allocated for calculation of top results (default=10 seconds).

    Note - SmartLog stops collecting top results after 150000 log entries or after 10 seconds, whichever happens first. To change these limits, refer to sk74800.

  4. To get top results from Multi-Domain Log Server and multiple Log Servers:
    1. Select Show top results from Multi-Domain Log Server and multiple Log Servers.
    2. Enter the maximum number of Simultaneous connections to Log Servers (default=3).

    Note - top results are collected from all Log Servers in groups of size configured in Simultaneous connections.

  5. Click OK.

Working with the Favorites List

The Favorites list lets you work with predefined and saved custom queries. The predefined queries are organized into folders by Software Blade. You can add new queries to existing folder or create new folders hold them.

You can do these actions with the Favorites list:

  • Add new custom queries
  • Add new query folders
  • Delete queries

In this version, you cannot move a query from one folder to a different folder.

Adding a Query to the Favorites List

To add a folder to the Favorites list:

  1. From the Favorites menu, select Add to Favorites.
  2. In the Add to Favorites window, enter a name for the new query.

    The query criteria show in the Query field.

  3. Select a folder from the list or click Create a New Folder.
  4. Click Add.

Creating a New Folder

You can use folders to help you organize custom queries into logical groups. Folders can be created inside of other folders.

You can also do this procedure while adding a new query to the favorites list.

To create a new folder:

  1. From the Favorites menu, select Add to Favorites.
  2. In the Add to Favorites window, click the Folder list.
  3. Select Create a New Folder from the list.
  4. In the Create a Folder window, enter a name for the new folder.
  5. Select a folder to contain the new folder.
  6. Click Add.

Deleting a Folder

You can delete folders that are no longer necessary.

Important - When you delete a folder, you also delete any queries included in that folder. We recommend that you carefully look at folder contents before deleting it. In this release, you cannot move a query from one folder to a different one.

To delete a folder:

  1. From the Favorites menu, select Organize Favorites.
  2. In the Organize Favorites folder, select the folder to be deleted.
  3. Click Delete.
  4. Click Close.

Working with the Results Pane

You can control how the data shows on in the results.

Select Grid View. This shows log records in a detailed tabular view. You can select the fields that show and can change the column order and width.

Select Table View. This shows a short summary of basic log data. You cannot customize this view.

Show or Hide User Identity.

Show resolved IP addresses and service names.

 

Scroll down to increase the quantity of query results that show.

 

Export query results to a CSV file.

Showing Query Results

Query results can include tens of thousands of log records. To prevent performance degradation, SmartLog only shows the first set of results in the Results pane. Typically, this is 50 results.

Scroll down to show more results. As you scroll down, SmartLog extracts more records from the SmartLog Index Server and adds them to the results set. The number of results shows above the Results pane.

For example, on the first run of a query, you can see the first 50 results (128 ms), out of over 150,000 results. When you scroll down, you can see the first 100 results (128 ms), out of over 150,000 results.

Customizing the Results Pane

By default, SmartLog shows a predefined set of columns and information based on the selected blade in your query. This is known as the Column Profile. If no blade is specified, a column profile is assigned based on the blade that occurs most frequently in the query results.

The Column Profile defines which columns appear in the Results Pane and in which order. You can change the Column Profile as necessary for your environment. You can sort the results by the actual event date and time or by the time that the event index arrived to the SmartLog Server.

To use the default Column Profile assignments, right-click a column heading and select Columns Profile > Automatic Profile Selection. This option is enabled by default.

To manually assign Column Profile assignments by default, right-click a column heading and select Columns Profile > Manual Profile Selection.

To manually assign a different Column Profile:

  1. Right-click a column heading and select Columns Profile.
  2. Select a Column Profile from the options menu.

To change a Column Profile:

  1. Right-click a column heading and select Columns Profile > Edit Columns Profile.
  2. In the Show Fields window, select a Column Profile to change.
  3. Select fields to add from the Available Fields column and click Add.
  4. Select fields to remove from the Selected Fields column and click Remove.
  5. Select a field in the Selected Fields and then click Move Up or Move Down to change its position in the Results Pane.
  6. Double click the Width column to change the default column width for the selected field.

You can drag the right-hand column border in the Results Pane to change the column width. This action is only applicable to the current session. The width defined in the Column Profile will show when you start a new SmartLog session.

To change the sort query order:

  1. Right-click the Time column.
  2. Select Sort by time or Sort by arrival order as applicable.

Exporting Query Results

SmartLog lets you export queries to a comma separated value (CSV) file. You can then use Microsoft Excel or other database programs to further analyze the data information print reports.

SmartLog only exports the query result included in the result set. You must scroll down to add more records to the result set. The actual number of results in the result set, shows below the Query Definition pane.

To export query results:

  1. Create or run a query in SmartLog.
  2. Scroll down in the Results pane until a sufficient quantity of records show.
  3. From the File menu, select Export > Excel CSV.
  4. Enter the file name and path and then click Save.

Creating Custom Queries

Queries can include one or more criteria. You can create custom queries using one or a combination of these basic procedures:

  • Right-click columns in the grid view and select Add Filter.
  • Click in the Query Definition field and then select the fields and filter criteria for those fields.
  • Manually enter filter criteria in the Query Definition field.

A good way to create a new custom query is to run an existing query and then use one of these procedures to change it. You can save the new query in the Favorites list.

When you create complex queries, SmartLog suggests, or automatically enters, an appropriate Boolean operator. This can be an implied AND operator, which does not explicitly show.

Selecting Query Fields

You can enter query criteria directly from the Query Definition field.

To select field criteria from the Query Definition field:

  1. If you are starting a new query, remove query definitions: click Clear
  2. Put the cursor in the Query Definition Field.
  3. Select a criterion from the drop-down list or enter the criteria in the Query Definition field.

The query runs automatically.

Selecting Criteria from Grid Columns

You can use the column headings in the Grid view to select query criteria. This option is not available in the Table view.

To select query criteria from grid columns:

  1. In the Results pane, right-click on a column heading.
  2. Select Add Filter.
  3. Select or enter the filter criteria.
    The criteria show in the Query Definition field and the query runs automatically.

You can continue to enter more criteria using this or other procedures.

Manually Entering Query Criteria

You can always type query criteria directly in the Query Definition field. You can manually create a new query or make changes to an existing query that shows in the Query Definition field.

As you type, SmartLog helps you by showing recently used query criteria or even complete queries. To use these suggestions, simply select them from the drop down list. If you make a syntax error in a query, SmartLog shows a helpful error message that identifies the error and suggests a solution.

  
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print