Histogram Display and Time Settings

At the top of the search results page is a histogram of the results over the query time range. The histogram is displayed when the Refinery view has a defined timestamp field (selected when the view was created).

Some views for indexed data might not have timestamps. Queries against views that do not have a timestamp do not show the histogram, nor the time range selector since it is not applicable for that data. As an example, region-view does not have any timestamp details – it has dimension data that supports analysis. If you query that view, the histogram and time ranges do not appear.

Setting Time Ranges

The default time range for a search is the last 15 minutes. You can change and adjust the time ranges using the Search Analytics controls to select other ranges that better suit the index data or the type of investigation that you are performing.

For example, click the calendar icon next to the time range value to see a pop-up window with some easy-to-select options including an adjustment for the last number of minutes, or for selecting from commonly used values, or by selecting from the range values used in recent searches:. There is also a Refresh option to update the data on a scheduled time frame, which can be helpful for live object groups and the continuously new data that they receive. (Refresh is not very useful for searches on static indexes, because static index data is not changing over time like a live index object group.)

Click the starting or ending time range to display another set of time options to set the start or end time value using a calendar widget or a relative interval widget, or to set a time to "now" using a quick click.

Alternatively, the histogram shows a window of data over the current time period. Click and drag inside of the histogram to zoom to a more specific duration of time. The time picker updates for the selected range, and the histogram updates to show the new data points.