Common Features


Search & Filtering


Throughout the UNUM interface certain features are common such as Search & Filtering.


While the Search feature is described separately in sections of the documentation the following provides a general overview as to the Search & Filtering function used through-out the Analytics areas of UNUM.


The Search box function provides a useful method of searching for connections related information using an auto-populate feature based on previous searches.


Example: You begin by entering an IP address, e.g., 10.9. and a drop down list appears highlighting the search criteria along with source and destination IP addresses.


Select and entry by clicking the desired IP address in the drop down list and the information is auto-populated in the search box.


Clicking on the desired IP address initiates the search.


The related information displayed in the graphical interface is updated with data from the search criteria and the filter information is highlighted in the filter bar.


Multiple searches populate the filter bar. Source and destination search criteria when entered is displayed in additional filter bars.


You also search using the IP address and the /XX netmask format.


A Filter Actions drop down menu is enabled by clicking the arrow and a list of available filters selected to refine the search results.


The Search box feature is available is through many of the UNUM dashboards and is employed in the same manner for each. The same is true for most Filter functions.



Search Box Example


Filter Actions Example




Filter Actions Selected Example

All Filters:


  • Enable – Enables the designated filter
  • Disable – Disables the designated filter
  • Pin – Pins the designated filter to the Dashboard interface
  • Unpin – Unpins the designated filter from the Dashboard interface
  • Invert – Invert the designated filter
  • Toggle – Switch between filters
  • Remove – Removes the designated filter from the Dashboard interface


The designated filter is highlighted in the filter bar shown in the figure.


Filter Actions Rollover Example


Moving the mouse over the filter bar reveals an editing menu providing additional functionality including a query editor as shown in the figure below.


Query Editor Example


Retrieve Search history by selecting the Clock Arrow.


Clear prior search history criteria by clicking on Clear History as shown below in the figure below.


Search Prior History Example


The information displayed is updated based on the selected sampling time by clicking on the Time link from 5 seconds to 24 hours.


Time Link Example


Data collection is stopped using the   (Pause) icon and restarted using the  (Play) icon.


Alternately, turn off updates as desired.


Historical information is displayed by clicking on the Last (time) icon and can display information from current day up to the last 5 years.


The updated time sampling and historical selection is displayed in the tool bar.


Quick, Relative and Absolute time drilldown monitoring is achieved by selecting the appropriate icon. The Quick method displays data from current day up to the previous year.


Time Range with Top Talkers Example


In some cases, the Time Range selection will not include Top Talkers as illustrated below.


Time Range - Quick Mode - Example


The Relative and Absolute methods provide an expanded and finer level of granularity for selecting data from specific date ranges as illustrated below.


Time Range - Relative Mode - Example


Time Range - Absolute - Example


Search Details Table


The Search pane provides extensive details regarding the information displayed in the dashboard.


Search Pane Details Example


Data Filtering


Rolling over a column in any given Details section reveals a icon used to Add or Remove filters from the search criteria.


Clicking on the icon in the Details section revealsTabular and JSON data.


You display more detailed information by clicking the arrowhead icon. Table data is displayed along with JSON script.


The details are displayed in two tabs:


Search Pane Table Data Example


Search Pane JSON Data Example


Export Data


Click on Export to export data to a CSV file. You have the option to Open or Save the File.



Search Pane Export Data Example


Using UNUM Insight Analytics Flow Search Features


UNUM Insight Analytics Flow provides a powerful search engine with a simple query syntax designed to isolate and filter specific flows among millions in a fraction of a second.


It has the following features:


  • Powerful query syntax to filter flow metadata information based on: field-based exact matches, regular expressions, ranges, Boolean operators.
  • Selected views from the Connection Dashboard.
  • IP Geo-location for Client and Servers, with custom extension to place on map devices across a large private network.
  • Aggregated flow stats: duration, latency, total bytes per connection.
  • Extensive “time machine” with absolute or relative year -month-day-hour-minute-second granularity.
  • Detailed flow table consisting of over 30 metadata fields associated with each flow.


The UNUM Insight Analytics Flow Search page allows you to search the database using custom text queries.


You enter the text query in the search field, and then click the magnifying glass icon to execute the query.


When data is available, the Search dashboard updates and the records matching the query are displayed in the lower part of the search page.


Queries may be executed on any combination of following fields (case sensitive):


Field Name

Example 1

Notes

vnet:<string>

vnet:"prod"


vlan:<number>

vlan:24


vxlan:<number>

vxlan:1000


switchName:<name>

switchName:"eta"


srcSwitchPort:<number>

srcSwitchPort:40


dstSwitchPort:<number>

dstSwitchPort:46


etherType:<number>

etherType:2048

IPv4

srcMac:<string>

srcMac:"4c:8d:79:eb:95:c2"


dstMac:<string>

dstMac:"00:00:5e:00:01:0a"


srcIp:<string>

srcIp:"10.20.100.100"


dstIp:<string>

dstIp:"216.58.192.34"


app:<string>

app:"https"

app:"ftp-control"

Also dstPort:<number> as in dstPort: [20 TO 21]

dscp:<number>

dscp:0


proto:<number>

proto:6

TCP

curState:<string>

curState:"SYN"

Also "FIN", "EST", "RST"

dur:<number>

dur:50


latency:<number>

latency:1000000

Time is in microseconds

startedTimeStr:<string>

startedTimeStr:"1456346059000"

Unix time 1456346059 = Wed, 24 Feb 2016 20:34:19 GMT (*)

endedTimeStr:<string>

endedTimeStr:"1456346159000"

Unix time 1456346159 = Wed, 24 Feb 2016 20:35:59 GMT (*)

throughput:<number>

throughput:4.5


ibytes:<number>

ibytes:0


obytes:<number>

obytes:1000


totalBytes:<number>

totalBytes:5000000


age:<number>

age:7


fabricName:<string>

fabricName:"prod"



Insight Analytics Flow Search - Search Fields

On the Search page, you query a specific subset of transactions from the selected time frame. The query syntax allows Boolean operators, wildcards, and field filtering. For example, to search for HTTP redirects, use the syntax:


http AND http.code: 302.

String Queries


A query may consist of one or more words or a phrase.


A phrase is a group of words surrounded by quotation marks, such as “test search”.


To search for all HTTP requests to a specific domain, use “mydomain.com” in the search field.



Informational Note: To search for an exact string, you need to wrap the string in double quotation marks. Without quotation marks, the search in the example matches any documents containing any of the words my, domain, or com.



Field-based Queries


You also search for specific fields in the database. To view HTTP transactions, for example, use the query:


type: http.

Regexp Queries


The Search page also supports regular expressions for filters and expressions. For example, to search for all HTTP responses with JSON as the returned value type, use the query:


http.content_type: *json.

Boolean Queries


Boolean operators such as AND, NOT, and OR, allow you to combine multiple sub-queries through logic operators.



Informational Note: Capitalize all Operators such as AND, OR, and NOT.



To search for all VLANs except VLAN 0, use the query NOT vlan: 0.


Parentheses are also supported to group sub-queries. To search for all apps connected on Friday with latency of 10, use the following query:


(app: http AND dayOfweek: 6-Fri) AND latency: [0 TO *]


The text query follows a simple syntax as in the following examples:  


Data Query Syntax

Explanation

*

wildcard to select everything, or to indicate "from" any value, or "up to" any value

NOT vlan:24

Exclude VLAN id 24

srcSwitchPort:[40 TO 45]

Include input port 40 to 45

dstSwitchPort:{9 to 16}

Include output port 10 to 15

srcSwitchPort:[10 TO 20] AND dstSwitchPort:

{9 TO 16}

Input port 10 to 20 and output port 10 to 15

srcSwitchPort:[10 TO 20] OR dstSwitchPort:

{9 TO 16}

Input port 10 to 20 or output port 10 to 15

srcHostname: "fc-w550s" AND app: "ssh"

Connections from host fc-w550s using ssh

startedTimeStr: "1456346059000" TO "1456346159000"

Connections between Wed, 24 Feb 2016 20:34:19 GMT and Wed, 24 Feb 2016 20:35:59 GMT

NOT startedTimeStr: "1456346059000" TO "1456346159000"

Exclude the connections in same interval

app:"ssh" AND NOT startedTimeStr: "1456346059000" TO "1456346159000"

Connections using ssh outside given interval

latency:[1000000 TO *] AND app:"LDAP"

Connections to LDAP server that took 1 second or more to be established

totalBytes:[5000000 TO *]

Connection with 5 Million bytes data transfer or more


Insight Analytics Flow Search Syntax Examples



Informational Note: All syntax above is case sensitive.