Data Explorer
Overview
Data Explorer gives you direct, flexible access to your organization's collected telemetry data. Build custom queries against health metrics, events, event batches, correlations, patterns, and live sessions without writing SQL. Results are displayed as interactive charts and sortable data tables.
Access Data Explorer from the Reports page by clicking the Data Explorer tab in the sub-navigation bar. Requires a paid subscription (Professional tier or higher).
Query Builder
The query builder has three tabs:
Templates
Pre-built queries for common scenarios. Click any template to populate the query builder with a ready-to-run configuration. Templates are organized by data source (health metrics, events, correlations, etc.) and cover use cases like CPU trends over time, top error providers, event volume by agent, and fleet health comparisons.
Custom Query
Build queries from scratch using the visual query builder:
- Data Source — Select which table to query: Agent Health Metrics, Events, Event Batches, Correlation Analyses, Detected Patterns, ETW Event Correlations, or Live Sessions
- Time Range — Choose preset ranges (1 hour to 30 days) or specify custom start/end dates
- Interval — Bucket results by time period (1 minute, 5 minutes, 1 hour, 1 day, 1 week) for trend visualization
- Group By — Aggregate results by a dimension. Available fields vary by data source and include: Agent ID, Server Name, Agent Type, Environment, OS Version, Agent Version, Provider Name, Event ID, Level, Status, Session Type, and more
- Metrics — Choose which numeric columns to aggregate. Supported aggregations: AVG, MIN, MAX, SUM, COUNT
- Filters — Narrow results with conditions. Operators include: equals, not equals, greater than, less than, LIKE (pattern matching), IN, and NOT IN
My Views
Save query configurations for quick re-use. Saved views store the full query definition (data source, time range, metrics, filters, group by) along with the preferred chart type. Shared views are visible to all members of your organization.
Chart Types
Results can be visualized as:
- Line Chart — Best for time-series trends (CPU over time, event counts by hour)
- Bar Chart — Best for comparisons (top agents by CPU, events by provider)
- Area Chart — Stacked area for cumulative trends
- Table — Raw data with sortable columns
Charts are rendered using Chart.js and support hover tooltips showing exact values. Switch between chart types at any time without re-running the query.
Virtual Columns via JOIN
Some data sources like Agent Health Metrics store only the Agent ID. The Data Explorer automatically joins to the Agents table to provide additional grouping and filtering options:
| Data Source | Additional Fields |
|---|---|
| Agent Health Metrics | Server Name, Agent Type, Environment, OS Version, Agent Version |
| Event Batches | Server Name, Agent Type |
| Live Sessions | Server Name |
| Events | Server Name, Agent Type (native) |
These fields are available for both grouping and filtering, enabling queries like "average CPU by Environment" or "event count grouped by Server Name."
Security
All queries are executed through a hardcoded allowlist in the QueryEngine. No arbitrary SQL is accepted. Organization scoping is injected server-side from the authenticated JWT — the client cannot override or access data from other organizations. All filter values use parameterized queries to prevent SQL injection.