Skip to main content

Investigate

The Investigate feature allows you to run a preset investigation or saved query, and then view the results.

Role requirements

To pin investigations so that they appear on the Dashboard, you must be assigned the Admin role. The rest of the capabilities and features described in this topic are available to all users.

For more information on ActiveEye capabilities and the role(s) required to access them, see the ActiveEye Capabilities by User Role topic.

Viewing and editing investigations

  1. In ActiveEye, in the left pane, click Investigate.
    A page displaying available preset investigations and saved queries appears.
    The Investigation Catalog page
  2. To investigate using a preset investigation, in the Preset Investigations section, select the investigation type, and then select the preset investigation.
    -or-
    To investigate using a saved query, in the My Saved Queries section, select the saved query.
    tip

    If you have been assigned the Admin role, you can pin any query in the My Saved Queries section, causing it to appear on the ActiveEye Dashboard of everyone in your organization. To do so, switch the toggle in the Pinned column in the row for the saved query that you want to pin or unpin. An The pinned icon icon indicates that the saved query is pinned, and an The unpinned icon icon indicates that it is not.

    A new page appears, displaying information based on the selected preset investigation or saved query.
    The Investigation Results page

  3. On this page, you can perform the following actions:

    • Modify filters: In the upper-left corner of the page, filters active in the selected preset investigation or saved query are displayed. Hovering over each filter reveals options to modify or delete the filter. To add an additional filter, click The plus buton, then enter the specifications for the filter, and then click Add Filter. To quickly change the range of time displayed, in the upper-right corner of the screen, click one of the buttons displaying an hour or day range.

    • Compare data: To compare the data in the selected timeline to a second timeline, click Compare. When you do, the Event Timeline section displays a second graph, and counts that were displayed in the Field Summary section are replaced with the difference between counts in the compared timelines. The second timeline displayed will span the range of dates directly preceding the currently selected range of dates. For example, if the original data spanned a 14 day range from 06/17/24 to 06/30/24, the compared data will span the 14 days prior to that range: 06/03/24 to 06/16/24. When comparing data, you can download data, create a report module with the data, or add the data to a daily email summary. To close the comparison and return to the original data, click Clear.

    • Download data: To download the data for further processing or archiving, click The Download Data button. You can download the data in the CSV or JSON format. If the Include aggregates checkbox is selected, the downloaded ZIP file will include a JSON Source File containing the aggregate counts from the boxes in the Field Summary section. If the Include manifest checkbox is selected, the downloaded ZIP file will include a JSON Source File containing the query details. The maximum download size is 10,000 events.

    • Save investigation: If you have modified filters and want to save your changes, click The Save Investigation button. Then, in the Save Investigation window, modify the Display Name and Description as needed. If you want the investigation to be visible to others within your organization, select the share with your organization checkbox; if this checkbox is cleared, the saved investigation will only be visible to you. If you want the saved investigation to always display time relative to when it is accessed, meaning that it will always display data in the selected time range up to the present, select the relative time checkbox. If you instead want the investigation to always display data in the specific range of time shown when it is saved, clear the relative time checkbox. If you are saving a modified version of a saved query, you can click Update Query to overwrite the saved query, or you can click Create Query to create a new, separate saved query. If you are saving a modified preset investigation, you must create a new query. To update the investigation with your changes, click Update Query.

    • Create a report module: Investigations can be added to custom reports through the creation of a report module, which can then be configured and added to a report template. To create a report module, click The Create Report Module. Then, in the Reporting window, modify the Title and Description as needed. If you want ActiveEye to open a new tab where you can create a report template containing the report module, select the create report now checkbox. For more information on using report templates, see the Adding a new report template section of the Reports topic. To create the report module, click Create Module.

    • Add the investigation to a daily email summary: To add the investigation to a daily email summary, click The Daily Email Summary button. Then, in the Daily Email Summary window, select the name of the daily email summary to which you want to add the investigation. When you make the selection, the investigation is added to the daily email summary immediately. If you want to edit a daily summary, click Edit Daily Email Summaries. For more information, see the Daily Email Summary topic.