- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Aggregated Search Results
Add aggregation to your search results to build quick summaries of the results.
Note
Search aggregation is only available to customers holding an Exabeam Security Log Management, Exabeam SIEM, or Exabeam Fusion license, and only if the time range for your search is within the number of months in the license. (1 month for all core license, 1-12 additional months with an Extended Retention add-on. This does not include long-term search/storage add-ons.)
Note
Aggregations can be built for a 7 day sliding window only. If you want to see statistics for a full month, consider using dashboards instead.
Click Aggregations on the search results navigation bar.
If you have already built an aggregated search, the results will be shown, otherwise the Manage Column Aggregation dialog appears, enabling you to build your search summary.
Click the Field template drop-down menu to select from a list of field templates or to create your own field template. The field template selected determines what fields will be available for selection.
Note
See Field Templates for more information.
Make your selections to build your aggregated search results.
Select one or more aggregation functions for each field you want included in the results.
Note
The functions are enabled/disabled depending on the field data type. The count function is enabled for every field, while sum, average, min and max are only enabled for fields with a
numberdata type.Select GROUP BY to group the rows that have the same value.
Click CREATE.
The aggregated search results are shown on the search results page.
Note
The field template selected when building the aggregated search determines what fields are displayed.
Use the
icon to select a column to sort the results. By default, the first column that has an aggregation function applied to it is sorted in descending order (largest value at top).Click Reconfigure to build a different search results summary.
Click Matching Events to return to the non-aggregated search results.
Note
The aggregated search you have built will be retained. Click Aggregations again to return to these results. Searches saved with aggregations will be marked with the
icon in the saved searches list.