Cloudera Docs » 1.2.2 » User Guide
User Guide
Also available as:
PDF

Querying Your Data

You can search and refine the data you receive from your data source by creating a query from the Discover page. You should create and save a query for each data source not provided by HCP.

When you submit a search query, the histogram, documents table, and fields list are updated to reflect the search results. The total number of hits is shown in the upper right corner of the histogram. The documents table shows the first five hundred hits.

HCP includes queries for the following telemetries:

  • YAF

  • Bro

  • Alerts (populated by Snort)

You can also add custom queries for new telemetry types.

To create a custom query, complete the following steps:

  1. Click the Discover tab to display the Discover window.

  2. In the search field at the top of the window, enter a query looking for a new type of telemetry document.

    For example, adding Snort would look something like this:

    You have several options when you create a query:

    • To perform a free text search, enter a text string.

      For example, if you’re searching web server logs, you could enter safari to search all fields for the term safari.

    • To search for a value in a specific field, you prefix the value with the name of the field.

      For example, you could enter status:200 to limit the results to entries that contain the value 200 in the status field.

    • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE].

      For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].

    • To search for a range of IPv4 values, you can use a similar bracketed range syntax, [IP_START_VALUE TO IP_END_VALUE].

      For example, to find all class A private network addresses, you could enter ip_address:[10.0.0.0 TO 10.255.255.255].

    • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE].

      For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].

  3. Click Enter or click the Search () button to submit your search query.

  4. Click the Save Search button () in the Discover toolbar to save the search.

    Saving a search saves both the query string and the currently selected index pattern.

  5. Enter a name for the search and click Save.

© 2012–2020, Cloudera, Inc.
Document licensed under the Creative Commons Attribution ShareAlike 4.0 License.
Cloudera.com | Documentation | Support | Community