Grouping events

After getting a list of events, you often need to split the events into groups to localize an information security event. KUMA can group events in a list by one or more fields.

To group events, you no longer need to manually edit the text of the query; instead, you can click a field in the Events section and select Add Group BY to the query in the context menu. You can select a sequence of multiple fields to group by, and the fields will be automatically added to the query string. Having selected your fields, click Run query. As a result, events are grouped by the specified fields. Found groups are displayed in the Groups section. They can be displayed as a table and as cards. You can toggle between the display modes. You can also export groups and events in TSV format.

You can exclude a group from search, which automatically modifies the query.

If you want to go back to the original query, click Run original query.

You can navigate through the groups and view the contents of each group.

You can use more complex grouping by adding one or more fields.

You can remove a group from the grouping and in this way, go back one step.

Statistics, retrospective check by group, and export to TSV are available.

If you want the grouping result to be independent of time (because events arrive continuously), you can set a fixed relative interval and apply it as an absolute interval so that the events of interest do not drop out of the selection. To fix a relative interval, in the Events section, in the time interval drop-down list, select Apply current range. You can now manage groups within this query.

In the events table, in the Timestamp field, you can select the format in the context menu.