Explore Logs

RunReveal’s log explorer provides a powerful interface for querying and analyzing your log data. The explorer features a compact layout, sidebar navigation, saved queries with version history, and AI-powered query assistance.

Overview

RunReveal’s log explorer provides an improved experience for log analysis with better visibility, intuitive filtering, and AI-powered query assistance. The explorer makes all functionality discoverable and accessible on a single page.

Key Features

The log explorer includes several key features:

• Compact Layout: Everything fits on one page - you can see log volume, filters, and results simultaneously without constant scrolling
• Sidebar Navigation: Table and column selection in a dedicated sidebar for better discoverability
• Linkable Views: Share exploration sessions with shareable URLs that preserve your exact configuration
• Saved Queries: Save queries with version history to iterate on ideas and track changes over time
• AI Assistant: Get help creating and updating queries using natural language prompts
• Fixed Layout: Optimized screen real estate with fixed-size components for consistent viewing

Explorer Interface Layout

The explorer is organized into these key sections:

1. Sidebar (Left)

The collapsible sidebar provides:

• Table Browser: Browse and select from available tables, views, and materialized views
  • Tables are organized by category (logs, source-specific views, custom views)
  • Expand tables to see their schema and available columns
  • Click a table to select it for querying
• Column Selection: When a table is selected, view all available columns with their data types
• Toggle Button: Collapse/expand the sidebar to maximize screen space

2. Top Bar

The top bar contains:

• Time Picker: Select your time range for the query
• Interval Selector: Set the time bucket granularity for the histogram
• Action Buttons:
  • “Edit as Query”: Switch to SQL mode and open the query in the query editor
  • “Create Detection”: Convert your exploration into a detection rule
  • Share/Link: Generate a shareable link to your current exploration state

3. Filter Builder

The filter section allows you to:

• Build Dynamic Filters: Add filters using a visual builder with column autocomplete
• Type-Aware Operators: Operators adapt based on column data type (equals, contains, greater than, etc.)
• Multiple Conditions: Add multiple filters that combine with AND logic
• Context Menu: Right-click on result values to quickly “Include in filter” or “Exclude from filter”

4. Visualization

The time-series histogram:

• Fixed Size: Compact, horizontally-stretched chart that doesn’t dominate the page
• Click to Zoom: Click and drag on the chart to select a time range and automatically update filters
• Grouped Series: When grouping by a column, see multiple colored series for comparison
• Real-time Updates: Chart updates automatically as you modify filters or time ranges

5. Results Table

The results view:

• Fixed Space: Dedicated area for log results with proper scrolling
• Sortable Columns: Click column headers to sort results
• Row Details: Click rows to see full event details
• Performance Metrics: Shows query execution time and row count

SQL Query Mode

When you click “Edit as Query”, the explorer switches to SQL mode:

• SQL Editor: Full-featured SQL editor with syntax highlighting
• Same Layout: Maintains the same page layout for consistency
• Saved Queries Sidebar: Access your saved queries from a collapsible drawer
• Version History: View and restore previous versions of saved queries
• AI Assistant: Get help writing and fixing SQL queries using natural language

Saved Queries

The explorer includes a powerful saved queries system:

Creating Saved Queries

1. Write your query in SQL mode
2. Click “Save” in the top bar
3. Enter a name and optional description
4. The query is saved with all parameters and settings

Version History

Every time you save a query, a new version is created:

• View History: Click the version history icon to see all previous versions
• Restore Versions: Restore any previous version of a query
• Track Changes: See when each version was created and by whom
• Automatic Versioning: No need to manually version - every save creates a new version

Managing Saved Queries

• Saved Queries Drawer: Access all your saved queries from the sidebar
• Search: Search saved queries by name
• Duplicate: Create a copy of a saved query to iterate on
• Delete: Remove saved queries you no longer need
• Edit Name: Click the query name in the header to edit it inline (Google Docs-style)

AI Assistant

The AI assistant helps you work with queries:

Using AI to Create Queries

1. Click the AI Assistant button in SQL mode
2. Describe what you want to query in natural language
3. The AI generates a SQL query based on your description
4. Review and refine the generated query

Fixing Query Errors

When a query has an error:

1. Click “Fix with AI” button
2. The AI analyzes the error and suggests a fix
3. Review the corrected query and apply it

Query Iteration

• Refine Queries: Ask the AI to modify existing queries
• Add Filters: Request additional filters or conditions
• Optimize: Ask for query optimization suggestions

Linkable Exploration Views

Every exploration state can be shared via URL:

• Shareable Links: The URL contains all your settings (table, filters, time range)
• Team Collaboration: Share investigation links with team members
• Documentation: Bookmark specific exploration states for documentation
• Context Preservation: Links preserve your exact filter configuration

Switching Between Modes

You can seamlessly switch between exploration modes:

• Explorer → Query Editor: Click “Edit as Query” to convert your exploration to SQL
• Query Editor → Explorer: Use the “Open in Explorer” option to view query results in explorer mode
• State Preservation: Your filters and settings are preserved when switching modes

Best Practices

• Start with Explorer: Use the visual explorer for initial investigation
• Switch to SQL: Use “Edit as Query” when you need more complex queries
• Save Frequently: Save queries as you iterate to preserve your work
• Use Version History: Don’t worry about breaking queries - you can always restore
• Share Links: Use shareable links to collaborate with your team
• Leverage AI: Use the AI assistant for query suggestions and error fixes

Query Tips

Follow these tips to improve query performance and get faster results:

• Use source-specific views: Instead of querying the logs table, use source-specific views like okta_logs, aws_cloudtrail_logs, or github_logs. These views are optimized for their respective sources and can significantly improve query speed.

• Filter by sourceType: When querying the logs table, add a filter on sourceType to narrow down results to specific log sources. This reduces the amount of data that needs to be scanned.

• Use smaller time ranges: Shorter time windows (e.g., 1 hour or 1 day) process faster than longer ranges (e.g., 30 days). Start with a smaller time range to test your query, then expand if needed.

• Add specific filters early: Apply filters on indexed fields (like sourceType, sourceID, or normalized fields) as early as possible in your query to reduce the dataset size before processing.

• Limit result sets: Use the LIMIT clause or set reasonable result limits to avoid processing and returning excessive amounts of data.

• Use aggregations: When possible, use aggregation functions (COUNT, SUM, etc.) instead of returning all individual events. Aggregations are more efficient for large datasets.

Related Documentation

• Pipelines - Build and manage data processing pipelines
• Transforms - Normalize and transform your log data
• Custom Views - Create virtual tables with custom columns
• Filtering - Apply filters to focus on specific events
• Detections - Create automated detection rules from your queries
• Dashboards - Visualize your log data with custom dashboards