Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Investigate

The Investigate section is where most day-to-day work happens. It contains the main query interface, your query history, and saved queries.

Query

The Query page is the home page of Osprey. It’s a live investigation workspace with three panels.

Osprey Home

Query input

The left panel is where you write and run queries. Osprey uses SML syntax—the same language used to write rules—to filter and search event data. See Query Syntax for a full reference.

Query Box

As you type, the input offers autocomplete suggestions for feature names, action names, and UDFs. Hovering over any UDF name shows a tooltip with its description.

Query UDF Hover

The active query is reflected in the page URL, making it easy to share a specific investigation with a teammate, though be aware this may expose sensitive query parameters.

Time range

Every query runs against a time window. You can choose a preset interval—from the last second up to the last three months—or set a custom date range using the date picker.

Query Time Range

The entire page updates dynamically when the query or time range changes, and interacting with any other panel (charts, event stream) can also update the query in turn.

Charts

The center panels show two types of visualizations:

Charts

Timeseries displays how many matching events occurred over time. You can set the granularity—minute, fifteen minutes, half hour, hour, day, week, or month—and hover over individual bars to see the count for that period.

Time Series Hover

You can add additional timeseries charts to compare different time granularities side-by-side. Charts you no longer need can be removed (“yeeted”).

Multiple Time Series

Top N shows a table of the top results for the current query, grouped by a dimension you choose. You can:

  • Add or remove dimension columns
  • Adjust the number of results shown (precision)
  • Enable Period over Period (PoP) to compare current results against a past time window and see the delta
  • Export the table as a CSV

Top N Charts

Period over Period

Event stream

The right panel is Osprey’s live feed. It shows individual events matching the current query in near-real time, and can also be used to search historical events.

Event Stream

The stream can be displayed in card format or list format. You can customize which fields appear per event by selecting Summary Features, helpful when different team members care about different metadata.

Summary Features

Selecting an entity in the event stream (such as a user ID or IP address) opens the Entity Details view. Hold Ctrl (⌘ Cmd on macOS) while clicking to select multiple events for bulk labeling.

Selecting an event opens a detail view at /events/:eventId showing all extracted feature values for that specific event.

Query History

Every query you run is automatically saved to your history.

Query History

Hovering over a query in the sidebar shows the Top N dimensions that were active during that session.

The full Query History page (accessible from the sidebar) shows a searchable list of all queries run across your team. You can filter by user email, view the original query text, and re-run any past query using the same time range it was originally run with.

Query History Page

Saved Queries

For queries you return to frequently, Osprey lets you save them by name.

Save Query

The Saved Queries page (accessible from the sidebar) shows a grid of all saved queries with the query text, the user who saved it, and when it was saved. You can filter by user email.

Saved Queries Page

From the grid, you can:

  • Run a saved query to load it into the Query page
  • Rename it via an edit modal
  • Delete it (with a confirmation step)

Saved queries also have a direct URL: /saved-query/:savedQueryId/latest automatically loads and executes the query.