Reviewing Historical Data and Snapshots
Last month I posted an article on ‘Understanding Historical Data and Snapshot Settings’. In this post we will cover the various ways to access, review and search data from these historical snapshots. There are three primary ways to achieve this.
1) Setting the ‘Display by Date’
For our first example, we will execute a basic ‘Saved Query’ from our demo environment called, ‘DW_Windows devices not in AD’.
When we review the results, we see 71 records for Windows devices not seen in AD for the last 7 days.
Perhaps we want to look try and better understand how the data is trending over time, but are not sure if it is something we want to chart. We know the criteria from the query language is based on ‘last seen = 7 days’.
If we wanted to see how the number compared to the previous week, we could make a quick change to the ‘Display by Date’ box,
and choose the date from a week prior.
In doing so, we are accessing the previously saved historical snapshot, and operating within Axonius as if this archive was the current workday.
Adjusting again for an earlier date.
IMPORTANT point to keep in mind, until we reset it back to the current day, all subsequent queries executed during the session will be running from this archival date. To reset, either click the ‘X’ in the ‘Display by Date’ box…
or open the calendar and click ‘Today’.
As you can see, with just a few quick clicks, you can leverage a query and target a specific date to reference historical data without changing the query parameters. This can be helpful in many different scenarios (last used users on a device, IP assignments in DHCP environments, Incident Response)
2) Adjusting the ‘Filter by Date’ from A Chart
Another method for accessing and reviewing the historical data is from individual charts within the Dashboard Spaces. Let’s say we had a Field Segmentation chart providing the total count of devices based on our ‘DW_Windows Devices Not in AD’ query:
If we click the blue 'filter' icon at the top of the chart, we can once again choose the desired start date for the query execution.
After clicking ‘Show Results’, the chart will update using the selected start date (10-27-2021).
If we click on the Windows 10 device line (count of 33), we will pivot to the ‘Devices’ page and see the list of matching devices. Note the date in the ‘Display by Date’ box at the top of the page corresponds to the date selected in the filter of the field segmentation chart.
3) Pivot from a Query Timeline Chart
The final way to jump back in time is from a Query timeline chart.
If you hover over the timeline, you can once again choose the desired snapshot date to pivot back to by clicking on the dot. This will return you to the ‘Devices’ page and allow you to review the data.
Thanks for reading and please reach out with any questions or for assistance!