Use Visual Search

New Log Search is available for Open Preview

We are rolling out a new Log Search experience to customers with an open preview starting January 31st, 2023. You can still use original Log Search during this open preview. Both the original and New Log Search will exist in parallel until development is complete. For now, review the topic on new Log Search and navigate to the Log Search Open Preview page in InsightIDR to become familiar with the new layout. Check back soon for fully updated documentation.

Visual Search allows you to get visibility into your log data without having to perform any pre-configuration. With Visual Search, you can quickly find hidden pieces of information in your logs, visualize large amounts of data over a wide time range, filter and drill-down your data, and take action on important events. You can also control visualizations by changing the time range.

Get Started

Visual Search works by automatically parsing your log data and selecting the 2 most frequently occurring keys in your selected log(s). InsightIDR generates visualizations based on these keys, and displays a timeline of matching search results above your log data. To view your visualizations: Go to Log Search, select a log, and click the Visualizations tab.

Log Search Visualizations

Add new visualizations

You can add a new visualization from the Visualizations tab of your selected log(s).

  1. Click the "Add Card" button.
  2. Select or enter a key to visualize.
  3. Select a graph type.
  4. To save your visualization, click Add Card again.

Configure your Visualizations

You can configure the type of visualizations displayed in Visual Search mode by clicking on the settings button on the specific visualization you wish to edit.

Configure Visualizations

From here you can configure the following items:

  • The name of visualization.
  • The calculation that is to be run.
  • The type of chart to be used to render your query result.

Interact with your visualizations

Visualizations are interactive, which means you can update your query by selecting a data point on any of your cards to filter the search results. Cards will automatically update based on how they relate to your selection.

To drill down into a particular value, simply click on the series in the visualization. In the below example we drilled into the first bar chart to show us the results of all entries where the service was "OUTLOOK.EXE."

Interact with Visualizations

We can continue to drill down further by selecting a "result" slice in the bar chart to only show entries which contain result = "FAILED_BAD_LOGIN." As you filter your data, the query builder is updated automatically. Your search filters will remain if you switch to the Entries or Table View tabs.

Visualization drill downs