Skip to main content

Query Analyzer

PurposeQuery Analyzer is one of the central features of the insights module. Query Analyzer app allows you to write queries, view data in a tabular format, create visualizations and add data to a case.
Last UpdatedMarch 26, 2025

What is Query Analyzer?

The Query Analyzer is Raven’s powerful tool for exploring, analyzing, and visualizing data using SQL queries. It allows users to interact with their organization’s data efficiently, uncover insights, and create visualizations for better decision-making. In the Query Analyzer you can:

  • Run SQL Queries: Write and execute PostgreSQL-supported queries to retrieve data from the Raven Fusion Layer.
  • Explore Tables: Access a comprehensive list of tables and columns to construct precise queries tailored to your needs.
  • Save Queries: Store frequently used queries for quick access, manage them effectively, and track execution details like runtime and rows returned.
  • View Query History: Review previously executed queries with detailed logs, including status, execution time, and results.
  • Filter Results: Apply filters directly within the query results table to refine data without additional SQL prompts.
  • Visualize Results: Transform query outputs into charts by selecting chart types and assigning relevant data fields.
  • Add Data to a Case: You can enrich the context of your analysis or investigation by adding query results directly to a case.

How to Access the Query Analyzer

To access the Query Analyzer:

  1. Navigate to the "Insights" section in the platform.
  2. Select "Query Analyzer" from the menu.

Query Analyzer Options

Saved Queries: The Saved Queries section allows users to store and manage frequently used queries.

Query History: The Query History section provides a chronological list of previously executed queries.

Tables: The Tables section lists all available tables and columns in your instance, helping users construct precise queries.

How to use Query Analyzer

Step 1: Write a Query

  1. Open the Query Analyzer interface.
  2. Open a new SQL prompt tab.
  3. Click on the “Tables” button on the top right to explore available tables in your team.
  4. Write your SQL query in the input field (PostgreSQL and PRQL supported).
  5. Click "Run Query" to execute it.

Step 2: Review the Results

After running a query, two sections become available:

  1. Query Results displays retrieved data in a table format. Users can search within results or download them as Excel or Arrow files.

  2. Users can filter query results directly within the table view. This helps to quickly explore your query results without writing extra SQL prompts.

    • Review the available columns of your query results and click on the values to apply filters
    • Alternatively you can use the “+ Add Filter” button for advanced filtering options.
    • Clear individual filters by clicking the delete button on the filter or hit “Clear All” button to remove all filters.

Step 3: Visualize Results

  1. Select your chart
  2. Add columns to the chart parameters
  3. Add aggregations to your value parameter by a left-clicking on the field
  4. Review your visual
  5. Click “Save as Pane” to reuse visual in your dashboards
  6. Set a cron for you page to dictate the refresh schedule of the underlying query, this will ensure that your pane will stay up to date

Using Regular Expressions in Queries

Regular expressions (regex) enable flexible text searches within SQL queries. They are particularly useful for matching patterns rather than exact terms.

To match any author name containing “michael” (case-insensitive):

SELECT * FROM security_events WHERE author ~* 'michael';

Example 2: Pattern matching

To match patterns where "DT" is followed by any single character and then "CT" (e.g., DTACT, DTOCT, DT1CT):

SELECT * FROM security_events WHERE event_description ~ 'DT.CT';

Learn more about supported regex operators here.

Adding Query Results to Cases

You can enrich the context of your analysis or investigation by adding query results directly to a case. Follow these steps:

  1. Select Rows

    • To add specific rows, click the checkmark on the left side of each row in the query results table.
    • To select all rows, click the checkmark in the header row.

  2. Add Events to a Case

    • Once rows are selected, the “Add Event to Case” button will become clickable above the table.
    • Click this button to assign the selected rows to an existing case or create a new case.

  3. Contextualize Your Case

    • The selected rows will be added as Related Events in your case.
    • These events provide additional context and can also be referenced in your Assistant chat for further analysis.

By integrating query results into cases, you ensure that all relevant data is centralized and easily accessible for comprehensive investigations.