Polygraph Diff Selector and Search
Diff Selector
You can use the Diff filter to compare activities from two different hours when viewing the polygraph. The Diff filter is located in the upper right-hand corner of the polygraph.
The following steps show you how to use the Diff filter to refine the polygraph.
When the filter is in the default state, click and drag the timeline located at the bottom of the polygraph left or right to display the desired date and time. Select the initial hour. The selected hour becomes highlighted with a blue rectangle.
Hover over the Diff icon to display all filters. Select one of the following filters to display:
Show Graph Union - This filter displays activities using the following color code:
- Blue lines represent the initial hour selected.
- Purple lines represent the hour being compared.
- Gray lines represent the activities the hours being compared had in common.
Show Graph Intersection - This filter displays only the activities the hours being compared had in common.
Show Graph Difference - This filter displays the activities associated with the hours being compared. The blue lines represent the initial hour selected and purple lines represent the hour being compared.
- Blue lines represent the initial hour selected.
- Purple lines represent the hour being compared.
By default, the hour before your selected initial hour becomes highlighted with a purple rectangle. From the timeline, select the hour you want to compare. The selected hour becomes highlighted with a purple rectangle.
Search
The polygraph displays and formats the search results depending on the expression you used.
note
The search expression you use affects only the information that is displayed in the polygraph. It does not affect the information that is displayed in other tables in the dossier.
"Must Contain" Expressions
The search function supports the following types of queries:
alice
- Must contain "alice".(alice)
- Must contain "alice".alice bob
- Must contain both "alice" and "bob" in the same node name in any order.
For "must contain" expressions, the node names that match your search criteria are highlighted in purple. The polygraph hides nodes that don’t match your search criteria.
For example, kubelet
displays only processes that are attached to "kubelet".
"Must Not Contain" Expressions
The search function supports the following types of queries:
-alice
- Must not contain "alice".(-alice)
- Must not contain "alice".
For “must not contain” expressions without parentheses, the node names that meet your search criteria are highlighted in black. The polygraph hides nodes that don’t match your search criteria.
For “must not contain” expressions with parentheses, the polygraph displays all nodes. The node names that match your search criteria (meaning they do not contain the search text) are highlighted in purple. The node names that don’t match your search criteria (meaning they contain the search text) are highlighted in black.
In the following examples, the resulting polygraphs for the two “must not contain” expressions are different:
With the
-kubelet
expression, the polygraph displays all processes except the processes that are attached to "kubelet".With the
(-kubelet)
expression, the polygraph displays all processes but highlights communication matching the search criteria in purple, and highlights "kubelet" in black.
Multiple Expressions
note
Always capitalize operators such as AND
and OR
.
The search function supports the following types of queries:
((alice bob) OR (charlie david))
- Must contain both "alice" and "bob" or must contain both "charlie" and "david" in the same node name in any order.((alice AND bob) OR (charlie AND david))
- Must contain both "alice" and "bob" or must contain both "charlie" and "david" in the same node name in any order.(alice AND bob) OR (-charlie)
- Must contain both "alice" and "bob" in the same node name in any order; or must not contain "charlie".
A “must not contain” expression may hide nodes. A “must not contain” expression used with another expression shows the node, but does not highlight it if it's connected to a highlighted node. See the following examples:
With the
-api
expression, the polygraph hides the "api" nodes.With the
-api AND python
expression, the polygraph highlights a "python" node, and the "api" nodes that are connected to it remain visible but aren’t highlighted.