Using Demo Data

To get to know Falcon LogScale you can use the built-in tutorial available. This is an interactive, self-explanatory guide that will take you through the user interface, the key components, and how to perform a search and query the sample data.

The Interactive Tutorial section below provides a walk and some tips on how to get the most from the tutorial.

The Interactive Tutorial

  1. To access the tutorial, click the Help icon on the top right of the screen and choose Tutorials

    Access the Tutorial

    Figure 1. Access the Tutorial


  2. Click Start tutorial: the window will appear similar to the screenshot in Figure 2, “Start Tutorial”

    Start Tutorial

    Figure 2. Start Tutorial


  3. There are a few things worth noticing before using the tutorial:

    • At the top left, next to the Falcon LogScale logo is the name of the repository, sandbox. This is the sample repository that will be used for the interactive tutorial. You can see the data it contains in the main panel.

    • Across the top of the window (underneath the Navigation panel) you have the following components:

      • View Selector — this allows you to switch between different views and representations of the data. The default is the Event List, but if you have selected an appropriate query or display, you can also view tables and graphs of the data.

      • Queries — displays a list of queries, including recent queries that you have executed, and also saved queries. Saving queries is an important part of the Falcon LogScale experience as these saved queries can be shared and then used with graphs, widgets and dashboards.

      • Language Syntax — is a link to our Query Language Syntax guide.

      • Event list widget — is a link to the corresponding documentation for the content being displayed.

      • Time Selector — clicking on the arrows will enable you to flip between the current time range displayed; clicking on the time range will enable to select the time range, include rolling time windows and live displays of incoming, streaming data.

      • Magnifying Glass — will 'zoom out' to increase the currently displayed time range

      • Run — Executes the currently displayed query

    • Query Panel — this is the main panel where you can enter, and edit, your queries. The panel supports lines (use Shift+Enter) and auto-extends to show up to 20 lines of the query.

    • Fields — the fields display on the left lists all of the fields identified during parsing that are currently shown in the displayed events. More fields may be in the dataset, but only fields matching the current data set are shown. Falcon LogScale can parse incoming logs into events and both extract, and augment, the incoming data into specific fields to make it easier to query and process. The display is organized into two groups, the Columns shows the list of columns selected for the current view, and the Results shows all the available fields in the current event list.

    • Statistics — shows a variety of the statistics for the current data set and query. There are also options to change the displayed view and order of the data, and also export and save the data.

    • Event Histogram — the histogram shows the number of matching events across the current time span.

    • Event List — shows the list of all the events as a table. The data is based on parsed fields.

  4. Follow the tutorial by using the navigation in the right panel: it will display instructions for you to read and follow. It will tell you what to type and where, as well as explain what you're doing and provide links to the documentation.

  5. To go on with the interactive tutorial, click Next.

Searching the Sandbox Repository

The first step is try searching the Sandbox repository, as shown in Figure 3, “Searching the Sandbox”.

There is a pre-filled input box containing the text example.com. To search for all log entries containing that text, you would type it in the input box near the top left of the screen. For the interactive tutorial, you could copy and paste it in that box, or you could just click on the right arrow next to the input box: it'll paste it into the input box for you.

When you run a search, you'll notice after a short amount of time that the log entries in the main panel will change to only those containing the search term. These will be entries that contain example.com. If you'd like, you can go beyond the example suggested. You could change the search term to something else, like Chrome to see all entries in which the server's web site was accessed with the Google Chrome browser, or maybe to Safari for the Macintosh web browser. Try whatever comes to mind, and don't worry about causing problems: you cannot change the data or ruin the tutorial by doing this.

Searching the Repository

Figure 3. Searching the Sandbox


Whether using Sandbox or some other repository, you can search on almost anything you want. However, to be assured of some results, click on one of the fields in the left margin to see what's available. For instance, you might click on the field, userid. That will show in the main panel the user identifiers in the repository data. You would then take one of those names (for example peter), type it in the search input box and hit Enter. The results in the main panel will then show all of the entries that contain the user name you entered.

All of this playing will cause the interactive tutorial to take longer than predicted, but it's alright. It'll help you to learn Falcon LogScale software, and to be comfortable with the interface. When you've had enough, though, click Next at the bottom of the right margin to continue. This will take you to many more instructions on how to search a repository.

Navigating the Tutorial

At this point you should be able to follow the interactive tutorial yourself. There are just a few more things worth mentioning, things you might not notice as you're going through the tutorial.

  • Important items that you need to look at while following the tutorial will be highlighted in Green.

  • When you're about to enter text in the search field, if you can't remember a function, try hitting Alt+Enter on Macintosh machines and Ctrl+Space on Windows or Linux computers. This will offer you some assistance.

  • Click the Back and Next buttons at the bottom of the right marginto be able to go back to a previous page or forward to another page, one page at a time. Clicking the Tutorial Outline button will reveal the list of pages in the interactive tutorial. This will give you a sense of how far along you are in the tutorial. You can also use this to navigate. You would click on whichever page you want to view.

Navigation

Figure 4. Navigation


We recommend that you go through the pages of the interactive tutorial in order. However, you may want to jump back to a previous page to remember something that was covered already, and then jump back to wherever you were. Also, if you have to stop the tutorial and want to return to it later, this navigation will help you to go back to where you left off.

Learning More

The interactive tutorial is very useful in taking you through the process of first trying Falcon LogScale. However, you'll learn more from creating your own repository and using your own data. After you've finished the interactive tutorial and you're ready to learn more, read the Using Your Data section.