Quick Views through the Query Wizard

Overview

We’ve all been down the rabbit hole; diving through data trying to find that one key piece of information to display and tie all the loose ends together.

Unfortunately, it’s possible that at times you might not even know what the best way to view the data will be, so you need to be able to explore without having to delve into your asset records to add or review potential fields.

In cases where you are pivoting from a dashboard chart or a saved query, editing columns to view can be tedious, especially when you are still perusing through the bulk data return.

Here are some ways to quickly add and review source fields to your views without having to change the query or navigate to the device or user profile pages to search across adapter records.

Walkthrough

For this example, let’s start out with the intent of finding more details about relevant data fields from Windows 10 workstations. From our ‘Windows Workstations’ dashboard chart, we can click on the row for Windows 10 and jump to the Device page to take a closer look at those 47 assets.

After the devices load, we can see there is a generic listing of fields. You can always go in and make column additions by clicking the ‘Edit Columns’ icon, but here is another way to expedite field addition:

Pop open the Query Wizard and start typing in the first few letters of the field you would like to add (We will use ‘Preferred OS Type and Distribution.’) After you select it, click the Blue "+" Icon to ‘Add Field to Column’.

Note: you do not have to complete the query language to add the column to view.

We can repeat the process to add additional fields without changing the data. For this example, I have added several more Preferred fields.

Click Save As and rename to save this query of the Windows 10 workstations to have both the asset data with your desired view.

Now let’s say we want to look a little bit deeper into the scope and want to add fields to view from the Crowdstrike adapter. Pop open the Query Wizard again and change from the Axonius Aggregate to the Crowdstrike adapter

One of two things will happen: 

Scenario 1

Nothing much happens at all. After you select the Crowdstrike adapter, you can add fields by clicking the drop down menu and explore all of the different fields for this particular adapter. We are still viewing the same 47 records of Windows 10 Workstations and have added the Agent Version field to view. You can also continue to explore and add fields from the Axonius Aggregate or from other individual adapters.

Scenario 2

You select the Crowdstrike adapter in the Query Wizard and ALL the data instantly changes!

Suddenly the Query Wizard resets and we are staring at just 9 device records and have lost our scope of Windows 10 workstations.

Why did this happen?

There is a setting that can be enabled/disabled within the System Settings, under the GUI settings tab to Perform a query every keypress.

If checked, it will automatically refresh the query and return new results as demonstrated above. If you prefer scenario 1, simply uncheck and click save at the bottom of the GUI Settings page.

There is a way of having the best of both worlds should you want the query every keypress option enabled:

When you open the Query Wizard to add more fields, leave the top row for the Axonius Aggregate completely empty and click the "+" symbol in the lower left corner to add an additional row. This time when you change the bottom row to the Crowdstrike adapter nothing happens due to the first row expression being invalid.

Now you can continue to add and search through fields by various adapters without worrying about losing the initial scope.

Note: You can use the same logic with Saved Queries.

Thanks for reading! Please reach out with any questions!