Managing queries

1. Open an investigation.
2. Click New query.
3. In the query editor, enter a KQL query or select a template.

1. Open an investigation with the required query.
2. Select the tab with your query.
3. Make your changes in the query editor.

Changes are saved automatically.

1. Click the period selector next to the start button.
2. Select one of the presets:
   • Last 5 minutes
   • Last 30 minutes
   • Last hour
   • Last 3 hours
   • Last 6 hours
   • Last 12 hours
   • Last day

Or select a custom period:

1. Click the time period selector.
2. Select a custom period.
3. Specify the start date and time of the period.
4. Specify the end date and time of the period.
5. Click Apply.

1. Make sure your query is entered in the editor.
2. Select a time period.
3. Click the query run button.

After you run it, the query enters the Running status. Once it is over, its results are presented in the table and on the histogram.

1. While the query is running, click the stop button.
2. The request will enter the Canceled status.

1. Click the query name in the tab.
2. Enter a new name.
3. Press Enter or click outside the input field.

1. Right-click the query tab.
2. Select Delete.
3. Confirm the deletion.

1. Open the query.
2. In the actions menu, select Share.
3. Copy the query link.

This link contains the query text and the selected period. The recipient will be able to open the query in their investigation.

1. Run the query.
2. In the results table, click the column settings icon.
3. Select the fields you want displayed.
4. Reorder the fields by dragging and dropping.
5. Click Apply.