Datasets

Overview

Use Analysis > Datasets to save analysis conditions that you want to run again later. You can register a plain query as a dataset, or build a correlation-analysis dataset by combining multiple existing datasets. This makes the page a practical handoff point between Pivot, Query, and dashboard workflows.

In practice, a dataset is closer to a saved analysis definition than a permanently frozen result set. If the query uses relative time ranges such as the last hour or the last week, running the same dataset again will reflect the current time window and underlying source data.

Correlation-analysis datasets reuse the same dataset-builder flow that also appears in Pivot. You can assemble datasets here, save the structure, and continue refining the correlation logic from the pivot editor when needed.

Dataset Creation Queries

Datasets are defined with Logpresso query statements that retrieve and transform data. In practice, dataset queries usually follow this pattern:

  1. Define the time range. Most datasets use relative time windows, so duration options or time variables are commonly included.
  2. Retrieve data with table or fulltext.
  3. Apply schema when you need normalized field names and structure.

Below are examples from real app datasets.

Example 1) Query with time variables

The Google Workspace Login dataset from the Google Workspace app (version 1.7.2504.0):

set _from=string(nvl($("_from"), datetrunc(ago("1w"), "1d")), "yyyyMMddHHmmss")
| set _to=string(nvl($("_to"), now()), "yyyyMMddHHmmss")
| table from=$("_from") to=$("_to") *:GOOGLE_LOGIN* | schema google-workspace-login

Example 2) Query using duration

The FortiGate SSL VPN dataset from the FortiGate app (version 1.3.2502.0):

fulltext tt=t duration=1d subtype == "vpn" and log_desc == "SSL VPN*" from *:FW_FORTIGATE*
| schema fortigate-sslvpn
Note
If a dataset query uses relative time conditions, the result can change every time you run it. The saved dataset definition stays the same, but the evaluated time window keeps moving.

Dataset Query Command

You can reuse a saved dataset from a query with the dataset command.

dataset guid="DATASET_GUID"

You can find the dataset GUID in the browser address bar. For example, if the URL looks like .../dataset/3e52c74f-dd74-4894-99d2-c305d5c6d837, that value is the dataset GUID.

The Google Workspace Login Task Statistics widget from the Google Workspace app also references a dataset in this way.

dataset guid="3e52c74f-dd74-4894-99d2-c305d5c6d837"
| pivot count() rows Task | limit 10000
Note
Widgets and pivots do not read a frozen snapshot by default. They rerun the saved dataset definition, so source permissions and time conditions still matter.

User Permissions

Users with dataset-view permission can open the page, but creating, editing, and deleting datasets depends on dataset-edit permission as well as ownership or sharing rules.

Note
Administrative accounts can manage datasets regardless of sharing settings. Standard users can only work with datasets that are shared with them, and they may still be blocked if they do not have permission to access the underlying tables or source data referenced by the dataset query.

App Datasets

When you install an app, the app can include datasets used by its dashboards and analysis examples.

  • App datasets may be refreshed when the app is reinstalled or updated.
  • The administrator who installed the app becomes the owner of those datasets.
  • Standard users must be included in sharing settings to reuse app datasets in pivot, query, or widget workflows.

App datasets often use a table pattern like this:

*:TABLE_NAME*
  • *: means all collection nodes.
  • The trailing * acts as a wildcard suffix.
  • In production environments, it is better to keep table names consistent by combining source category and device identity.
Note
Before reusing an app dataset, verify that your real collector and table naming rules match what the app dataset query expects.

View and Search the Dataset List

You can browse or search datasets in Analysis > Datasets.

Dataset list

  • Type: Shows whether the dataset is a Query dataset or a Correlation Analysis dataset.
  • Name: The dataset name. Clicking a row opens the edit side panel.
  • Description: A short explanation of the dataset.
  • Owner: The account that created the dataset.
  • Modified: The most recent update time.

To find a dataset quickly, use the search box in the toolbar. In the current v5 screen the placeholder is Search, and the filter matches dataset names.

Download the List

To export the dataset list, click Download in the toolbar.

Download dataset list

  • File Name: Name of the export file.
  • Columns: Fields to include in the file.
  • File Format: Choose CSV, Excel XML, Microsoft Word, HTML, JSON, or PDF.
  • Encoding: Character encoding for the file.
  • Range: Number of dataset rows to include.
Refresh the List

To reload the latest dataset information, click Refresh in the toolbar.

Add a Dataset

To add a dataset:

  1. In Analysis > Datasets, click Add in the toolbar.
  2. Fill in the fields in the New Dataset side panel.

Add dataset

  • Name: Dataset name (required, up to 255 characters).
  • Description: Dataset description (up to 2,000 characters).
  • Account: Search for and add accounts to share the dataset with.
  • Account Group: Search for and add account groups to share the dataset with.
  • Dataset Type: Select the save method (default: Query, range: Query, Correlation Analysis).
    • Query: Enter the query that defines the dataset.
    • Correlation Analysis: Build a dataset by combining existing datasets.
  • Query: The query string for the dataset (required).
  • Data View: Preview area used to run the current definition and inspect the result before saving.
  1. In Data View, click Run to make sure the result is valid.

Dataset preview

  1. When the definition looks correct, click OK at the top of the side panel.

Dataset validation

Add a Correlation Analysis Dataset

To create a correlation-analysis dataset, change Dataset Type to Correlation Analysis.

Add correlation-analysis dataset

  1. Change Dataset Type to Correlation Analysis.
  2. Search or select datasets from the left-side source list.
  3. Drag datasets into the builder area on the right.
  4. For the second dataset and after, drop the card on the left or right side of the existing card to define the correlation order.
  5. Use the operator area between cards to choose a mode such as union or a join variant.
  6. Review the generated execution query shown below the builder, then click Run in Data View to preview the result.
  7. Click OK when the configuration is ready to save.
  • The left panel contains both a search box and a dataset list.
  • The right builder area shows dataset cards and their visual connection structure.
  • You can remove a dataset from the current structure with the close icon on the card.
  • The query pane at the bottom shows how the current builder structure is translated into an executable query.
  • Join-based modes require correlation keys built from fields shared by both datasets.

Clicking the connector icon between dataset cards opens the correlation-type popup.

Correlation type selection

  • Union: Appends the two dataset results.
  • Inner, Left, Right, Full Outer, Left Only: Each mode changes which side of the joined result is retained.
  • When you choose a non-union mode, you must define join keys from compatible shared columns or enter them manually.
Note
After saving a correlation-analysis dataset, you can continue editing the logic from the Pivot screen.

Edit a Dataset

To edit a dataset:

  1. Click the row you want to edit in the dataset list.
  2. Update the fields in the Edit Dataset side panel.

Edit dataset

  • For query datasets, you can update Name, Description, Account, Account Group, and Query.
  • The Data View area is still available in edit mode, so you can rerun the dataset before saving.
  • For query datasets, the Dataset Type selector is not shown in edit mode.
  1. Click OK to save the change.

Edit a Correlation Analysis Dataset

When you open a correlation-analysis dataset, the screen may show a Run Plan area instead of the editable query field.

  • Run Plan: Shows the saved correlation structure as a read-only query.
  • Edit pivot entity: Opens the pivot screen so you can modify the correlation logic.

Delete Datasets

To delete datasets:

  1. Select one or more rows with the checkboxes in the list.
  2. Click Delete from the selection action toolbar.
  3. In the Delete Dataset dialog, confirm the target items and click Delete.

Delete dataset

Note
If only some items fail during deletion, the UI opens a failure list dialog and removes the successfully deleted items from the list.

Generate a Dashboard from Selected Datasets

If your account has both dashboard edit permissions and dashboard widget edit permissions, an AI dashboard-generation action may appear for selected datasets.

AI dashboard generation from datasets

  • Select one or more datasets in the list.
  • Click the AI dashboard-generation action in the selected-items area.
  • Enter the dashboard name and prompt, then start the generation task.

How Datasets Are Reused

Saved datasets can be reused in these common flows:

  • Load them as a source in Pivot for further aggregation and visualization.
  • Reference them from a query with dataset guid="...".
  • Use them as a data source for dashboard widgets.
  • Combine them with other datasets when building correlation-analysis datasets.