Concepts in brief

This chapter presents all the concepts that are at the core of Squey. The understanding of each and every concept is not mandatory to start using the software but you are encouraged to read it beforehand.

The organisation of this chapter is more logical than alphabetical but to ease the use of this chapter as a reference, an alphabetically ordered list of links to concepts is provided below :

• Axes combination

• Axis

• Column

• Data collection

• Event

• Field

• Filter

• Format

• Input

• Invalid event

• Investigation

• Layer

• Line Property

• Mapping

• Scaling

• Selectable event

• Selection

• Source

• View

• Workspace

• Zombie event

• Zone

Input

An Input is a the smallest supported dataset unit such as:

1. Text files

2. Apache Parquet files

3. PCAP Files

4. Database queries

5. Elasticsearch queries

One or more Inputs are processed into a Source using a Format during the data ingest phase.

Format

A Format describes how one or more Inputs will be processed and represented as a Source. It gives the logic about how the Events are split into Fields; it gives meta-informations about Fields too, such as:

• their type

• their displayed name

• their associated Mapping;

• their associated Scaling;

• and a few more parameters.

A Format also provides an Axes combination.

Note

Formats are internally managed for every Inputs that are not a Text files and you won’t even see them.

Source

A Source is the association of one or many Inputs and a Format. Is it the equivalent of a worksheet in a spreadsheet software.

As an example, a set of Text files with the same structure, associated with a Format specifying how to extract the wanted Fields forms a Source.

Event

An Event is a coherent data unit of a Source containing one value of each Column.

Note

It is represented as a row on the Listing View, as a broken line on the Global Parallel Coordinates View, as a point on a Scatter Plot View and participate to the positionning of a data point in the Series View and Hit Count View.

Invalid event

An Invalid event is an Event that failed to be properly processed by a Format.

Invalid events can be generated on two distinct cases :

1. When a discrepency is present in the Input

2. When there is a mismatch between the Format logic and the data contained in the Input. Usually, the Format can be refined to reduce and/or avoid these.

Note

Invalid events are never discarded silently and are always listed in the “Error” tab.

Invalid value

Even in case of a valid Event, it can also happen that one or more values do not conform to the expected type (eg. a string is encountered instead of a number).

In such a case, the Invalid value is nevertheless displayed but with a noticeable accent, eg:

• Displayed in italic in the Listing View and the Distinct values dialog

• Displayed at specific place in the bottom of the Axis

They can also be searched specifically by the search feature.

Field

A Field is a specific part of an Event.

The complete splitting process of an Event into smaller Fields is described in the Format associated to one or more Inputs.

Column

A Column is an ordered list of all the values contained in a given Field in a given Source.

Axis

An Axis is the mathematical representation of a Column found in a given Source. It is then completely tied to the Column it represents.

The term Axis will often come when dealing with graphical representations called Views.

A paire of Axis forms a Zone.

Mapping

A Mapping is a first mathematical function that is applied to all the values of a Column so that they can be ordered on the associated Axis.

Squey offers different Mapping functions. Some are generic and can be applied to any type of values of Fields. Some are only meaningfull on specific types of Fields.

Note

Mappings can be changed in real time during an analysis.

Scaling

A Scaling is a second mathematical function applied on ordered values and determines how values are scaled over the axis.

There are three Scaling functions:

• Min/max : uses a linear scale

• Log Min/max : uses a logarithmic scale

• Uniform : uses a uniform scale

Note

Scalings can be changed in real time during an analysis.

Axes combination

An Axes combination is an arbitrary multi-set of available axes. It is a convenient way to express alternative ordering of axes (as well as removal and/or duplication) in order to make analyses more fluid.

View

A View is a widget that present and allow to manipulate any kind of data.

See Views in Squey.

Selection

A Selection is a subset of selected Events of the current Layer.

Selections are the core of the interactivity in Squey because Views are updated in real time when they change allowing thereby to conduct deep analyses.

Layer

A layer is a saved Selection.

Investigation

Investigations are meant to allow the users to save their work and be able to quickly resume their analysis later on. It allows them to save:

• all the Layers and their states

• the ingested processed data

• a connection to the original data in order to be able to export subsets of it

Note

Reloading an Investigation is way faster than reimporting the original data again because the ingestion phase will be skipped out.

Workspace

A Workspace is a dockable area containing all the displayed Views of a Source.

Data collection

A Data collection is a convenience to manually regroup different Sources according to arbitrary criteria. These criteria can be duration covered by the Sources, the sources types, etc.

Zombie event

A Zombie event is an Event which does not belong to the current Layer.

Selectable event

An Event is selectable if it belongs to the current layer event set.

Line Property

A Line Property is a property set attached to the Events of a Layer, such as their colors or their selectability.

Filter

A Filter is an algorithm used to alter the Line Property of the current active Layer of the Layer Stack View.

Zone

A Zone is a pair of Axes or of Columns.