Navigate View

Navigate View

The Navigate view ( Investigate > Navigate) displays event metadata--the meta keys and meta values-- that were found in captured data for the selected service. The data is filtered and displayed in accordance with the options you set for profile, time range, meta group, and query. You can also drill into the data by clicking meta keys and meta values.

Note: By default, the Navigate view is disabled in Version 11.6 as the Filter Events Panel in the Events view provides this functionality. To enable the Navigate view, see Configure the Navigate View and Legacy Events View.

Workflow

In the Navigate view, you can:

• View metadata for events in the Values panel.
• Visualize events in a timeline or parallel coordinates chart.
• Save events, go to an event using the event ID, visualize an event, and print an event.
• View additional contextual data for meta keys and values.
• Open a drill point or an event in the Legacy Events or the Events view.

What do you want to do?

*You can perform this task in the current view.

Related Topics

• How NetWitness Investigate Works
• Legacy Events View
• Events View

Quick Look

This figure illustrates the Version 11.5 Navigate view.

The Navigate view consists of these features:

• Toolbar
• Pause/reload button and breadcrumb
• Time banner
• Optional debug information.
• Collapsible Visualization panel
• Values panel
• Context Lookup panel
• Context menus

Toolbar

The following figure is an example of the toolbar. The toolbar provides a way to:

• Change the service being investigated.
• Control the range of data displayed: You can select use profiles, set a time range, use meta groups, and create queries to apply to the data.
• Set the quantification method and sorting method for data in the Values panel.
• Perform actions on the results. You can export and print results, open an event for which you have an event ID in the Legacy Events view or Events view, and pass a query to Informer.
• Configure Investigate settings without navigating away from the Investigate views.

Some of the toolbar options are labeled with the default value or the selected value rather than displaying the name of the option. For example, the time range option in the example above is labeled Last 5 Minutes to reflect the currently selected value. These are the toolbar options.

Pause/Reload Button and Breadcrumb

The breadcrumb tracks each query as you drill down through the metadata for the service. The following figure is an example of the breadcrumb.

Each query is listed with a drop-down menu in a pipe separated string. The last point is the current point, also called the tip. The icon in front of the breadcrumb allows you to pause the loading of meta values and to reload meta values. The breadcrumb does not include the service name and appears only if a query is in effect. If too many drill points exist for display, the overflow is shown as double angle brackets, >>, at the end of the breadcrumb. Each drop-down menu in the breadcrumb is the same, with slight variation based on the position of the crumb.

The following table describes the controls and menu options in the breadcrumb.

(Optional) Debug Information

If you have activated the Show Debug Information setting and the service you are navigating is a Broker, NetWitness, displays the debug information beneath the breadcrumb.

The debug information is the where clause from the current query. The only time there is no where clause is when the time range is all data and there are no drill points. If the Broker has at least one aggregate service that is offline, the debug information also lists the offline service.

For example:

(attachment exists)&&(tcp.dstport = '80')&&(risk.info exists)$$time='2014-05-04 18:50:00"-"2014-05-09 18:59:59(attachment exists) && (tcp.dstport = '80') && (risk.info exists) && time="2014-05-04 18:50:00"-"2014-05-09 18:50:59"

In addition, the time taken to load is displayed at the end of each meta key in the Values panel.

Time Banner

Just below the breadcrumb and debug information (if present), the time banner shows the time range used to create the chart. The following figure is an example of the time banner.

Visualizations

At the top of the Navigate view is a visualization of the current drill point. You can use this to drill into data from the Visualization panel (see Filter Results in the Navigate View). You can show or hide the visualization, and choose one of thevisualization options: Timeline or Coordinates. The Visualization opens initially to the last saved Visualization.

Timeline Chart

The timeline is the count of the number of events that occur at a specific instance. The timeline provides event counts so that you can see if the number of events increases drastically at a given point in time. The timeline displays activity for the specified service and time range as a line chart or a bar chart based on your choice in the Options menu. The second figure illustrates a line chart and third figure illustrates a bar chart.

The timeline displays activity for the specified service and time range, as a line chart or a bar chart based on your choice in the Options menu.

,,,, ,,,,,,, you can select the meta data to be displayed (see Visualize Metadata as Parallel Coordinates). An easy way to view a useful Parallel Coordinates chart is to choose a profile group as shown in the following figure.,,,,,,, ,,,,,,, but it there the number of events per meta key is limited.LinesLines represent events and they connect values on the axes to show the correlation between multiple meta keys.OptionsDisplays the Visualization Options dialog. Data points can be displayed as a Line chart (default), a Bar chart, or Coordinates chart. When a chart type is select, the relevant options are displayed.Only a subset of events is displayed.This message is a notification that not all events in the values panel are drawn in the chart. Removing axes or filtering the data in the Values panel can help to display all events.Events Found | Unique PathsDisplays the total number of events charted versus the number of unique paths charted. Setting the All Meta Keys Must Exist in an Event option redraws the chart so that it is more targeted and legible.DNEIndicates that there is no values for this meta key in the event.,,,, you can select the meta keys to chart.,,,,,,, more targeted visualization. Displays the Add Keys to Parallel Coordinates Visualization dialog so that you can add axes to the visualization. This is useful if you are looking for relationships between the default meta keys and some additional ones. Deletes the selected keys so that they do not appear as axes in the visualization. This can help to make the visualization less cluttered and allow for more data points to be included in the visualization. Reverts to the default meta keys for visualization, which consist of all meta keys in the current drill point. Controls the display of additional information about the number of selected axes versus the recommended count. This helps to make you aware of possible performance improvements by removing axes.AxesLists the meta keys selected as axes in the visualization.CancelCancels any changes made to the visualization options.ApplySaves the changes made to the visualization options and applies to the current visualization.,,,,,, you can select the meta keys or meta groups to use as axes the Parallel Coordinates visualization.,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, ,,,,,,, which presents meta keys and meta values found in the service being investigated. Procedures for analyzing data in the Values panel are provided in Filter Results in the Navigate View.,,,,,,, ,,,,,,, values, and counts for non-indexed meta keys are not drillable; the Values and counts are shown in black.,,,,,, ,,,,,,, ,,,,,,, which offer actions that can apply to that meta key. You can use these to change the way the results for the meta key are displayed in the current view. Changes made to meta keys are displayed in the current view and persist until you refresh the page or select a new service in the Navigate view toolbar. See Drill into Data in the Values Panel,,,,,,, NetWitness, a refresh restores the default meta keys from the core service.,,,,,, ,,,,,,, the user friendly name of the meta key is displayed with the index file name of the meta key following in brackets. For example Content Type [content] gives the user friendly name of the content meta key with the index file name in parentheses. For meta groups, the name of the group is given in plain English with the meta group name following in parentheses. This is an example of a meta group name as it would appear in the Values panel: All User Keys [users.all].3 and 4Clicking on an indexed meta key opens the Search dialog in which you can enter a filter for the current meta key. The search function is not available for non-indexed meta keys, and is based on the actual meta value rather than the alias. Drilling in the Search dialog using aliases is not supported.
NOTE: Check with your administrator to obtain a list of aliases used for a meta key in Investigation. When an alias is used, this search dialog does not provide results. Instead, you must query the meta key using the Right-click query capability or the Query dialog.5The meta value associated with the found meta key. These are listed in order by meta value name or by the count of events in which the meta value was found, according to your preference.6,, ,,,,,,, ,,,,,,, the meta key is Content Type, and 40 of 40+ values are currently displayed. You can display additional values by clicking