Siren Platform User Guide

Viewing document context

For certain applications it can be useful to inspect a window of documents surrounding a specific event. The context view enables you to do just that for index patterns that are configured to contain time-based events.

To show the context surrounding an anchor document, click Expand (fa-caret-right.png) to the left of the document’s table entry and then click the View surrounding documents link.

Expanded document.

The context view displays a number of documents before and after the anchor document. The anchor document itself is highlighted in blue. The view is sorted by the time field specified in the index pattern configuration and uses the same set of columns as the Discover view the context was opened from. If there are multiple documents with the same time field value, the internal document order is used as a secondary sorting criterion by default.

Note

The field used for tie breaking in case of equal time field values can be configured using the advanced setting context:tieBreakerFields in ManagementAdvanced Settings, which defaults to the _doc field. The value of this setting can be a comma-separated list of field names, which will be checked in sequence for suitability when a context is about to be displayed. The first suitable field is then used as the tie breaking field. A field is suitable if the field exists and is sortable in the index pattern the context is based on.

While not required, you should only use fields which have doc values enabled to achieve good performance and avoid unnecessary field data usage. Common examples for suitable fields include log line numbers, monotonically increasing counters and high-precision timestamps.

Context view.

Note

The number of documents displayed by default can be configured using the context:defaultSize setting in ManagementAdvanced Settings.

Changing the context size

You can change the number documents displayed before and after the anchor document independently.

To increase the number of displayed documents that are newer than the anchor document, click Load 5 more above the document list or enter the desired number into the input box.

UUID-bd40c158-355b-db09-6b06-a0b54de15a72.png

To increase the number of displayed documents that are older than the anchor document, click Load 5 more below the document list or enter the desired number into the input box

UUID-9177d85f-1e08-2467-34d8-df63498e440e.png

Note

The default number of documents loaded with each click can be configured using the context:step setting in ManagementAdvanced Settings.

Filtering the context

Depending on how the documents are partitioned into index patterns, the context view may contain many documents not related to the event under investigation. To adapt the focus of the context view to the task at hand, you can use filters to restrict the documents considered by Siren Investigate for display in the context view.

When switching from the Discover view to the Context view, the previously applied filters are carried over. Pinned filters remain active while normal filters are copied in a switched off state. You can selectively re-enabled them to refine your context view.

New filters can be added using the Add a filter link in the filter bar, by clicking the filter icons appearing when moving the mouse pointer over a field, or by expanding documents and clicking the filter icons in the table.

Discover context view filter montage.