Columns Tab
The Columns tab of the Report Wizard allows you to add and remove columns from a report; set the labels that appear in the report; and specify sorting, aggregation, and formatting, as applicable.
The Columns tab consists of three components:
- Available Columns: Each report consists of a series of columns, much like a spreadsheet. Within the Available Columns list, each column is organized by its type. For example, all of the columns that describe a search (for example, date/time and duration) appear under the section Searches. When the checkbox "This report will either be joined to another report or used for secondary analytics." is selected on the Reports tab, additional columns appear in each section that are not otherwise visible. These additional columns mostly include unique identifiers and do not provide any value on their own, but rather are used to create relationships to other reports. These additional columns have a gray icon
whereas the regular columns have a green icon 
. - Selected Columns: The Selected Columns list displays the columns that are included in the report. The columns appear in the report from left to right in the same order that they appear in this list from top to bottom. A column does not appear in the report if the Hidden property has been selected.
- Column Properties: This component is only visible when a column is highlighted in the Selected Columns list. The column properties specify how the column appears in the report including the column header, or label and whether or not the column is visible.
|
In this article |
Adding Columns
To add a column to the report, click and hold on the column in the Available Columns list and drag it to the Selected Columns list and then release the mouse button. Alternatively, highlight a column in the Available Columns list and use the Include ribbon button in the Columns group or right click on the column and select Include. Once added, the column appears in the Selected Columns list.
Columns marked with are only visible if the "This report will either be joined to another report or used for secondary analytics" checkbox option has been selected on the Report tab of the report wizard. These columns are used for joining reports and for counting records within a report.
The available columns are described below:
- Searches:
| Field | Description |
|---|---|
| Search Identifier |
Uniquely identifies a specific search stored in the database. |
| Search Date/Time | The time stamp, local to the Agent, of the start of the search during which the result was found. |
| Search Duration | Duration of the search, in seconds. |
| Search User Identifier |
Uniquely identifies a specific search user stored in the database. |
| Endpoint Identifier |
Uniquely identifies a specific endpoint stored in the database. |
| Endpoint Name | The display name of the endpoint on which the result was found. |
| Source Endpoint Identifier |
Uniquely identifies a specific source endpoint stored in the database. |
| Source Endpoint Name | The display name of the endpoint which performed the search. |
| Task Identifier |
Uniquely identifies a specific task stored in the database. |
| Task Name | The task that initiated the search. |
| Locations Searched | The total number of file locations seen during a search. |
| Locations Identified | This is the total number of file locations seen during a search. This includes searchable and non-searchable locations. If a file location is not searchable due to the file type being excluded or the file size being greater than the number of megabytes (MB) specified, that file is not counted. The contents of excluded folders are not included in this count. |
| Locations with Matches | The number of file locations seen during a search compared to the target endpoint Agent log. |
- Matches:
| Field | Description |
|---|---|
| Match Identifier |
Uniquely identifies a specific match stored in the database. |
| Search Identifier |
Uniquely identifies a specific search stored in the database. |
| Location Identifier |
Uniquely identifies a specific location in which the match was found stored in the database. |
| Date/Time | The time stamp, local to the Agent, of the start of the search during which the result was found. This is the time stamp for the first time the match was found. |
| Found Search Date/Time | The time stamp, local to the Agent, of the start of the search during which the result was found. |
| First Found Search Date/Time | The time stamp, local to the Agent, of the first occurrence the location/match was found. |
| Last Found Search Date/Time | The time stamp, local to the Agent, of the last occurrence the location/match was found. |
| Match | The specific match information itself. For example, the exact social security number or credit card number as found during the search. |
| Data Type Identifier |
Uniquely identifies a specific data type in the database. |
| Data Type | The type of the result. e.g., Date of Birth, Social Security Number. |
| Sensitive Data Type Name | Uniquely identifies specific sensitive data type names. These are the names assigned to a Keyword, Regular Expression, Dictionary, Sensitive Data Definition and Search API in the Sensitive Data Types page of the Admin tab. |
| DB Column Names | The column names where the match was found. |
| Match Hash | Uniquely identifies a specific file hash in the database. |
| Match Quantity | The number of instances of the match in the selected location in the most recent search. |
| Protected Quantity | The number of protected matches in the selected location in the most recent search. |
| Unprotected Quantity | The number of unprotected matches in the selected location in the most recent search. |
| Action Most Recent | The most recent action performed on the result. |
| Match Quantity Historical | The number of instances of the match in the selected location for all searches. |
| Protected Quantity Historical | The number of protected matches in the selected location for all searches. |
| Unprotected Quantity Historical | The number of unprotected matches in the selected location for all searches. |
| Action Historical | All actions performed on a result. For example, if a result has had three actions performed on it, then you see all three actions. |
| Action Reason | The reason that is selected when a result is ignored from the Console or the Agent. |
| Pending Action | An action that has been scheduled but not yet executed on the endpoint. |
- Data Types:
| Field | Description |
|---|---|
| Data Type Identifier |
Uniquely identifies specific data types in the database. |
| Data Type Name | The name of Data Type. (SSN, CCN, Telephone Number, etc.) |
Actions:
| Field | Description |
|---|---|
| None Quantity | The number of results in the selected location which have had no action performed on them in the most recent search. |
| Ignored Quantity | The number of results in the selected location which have had an ignore action performed on them in the most recent search. |
| Globally Ignored Quantity | The number of results in the selected location which have had a global ignore action performed on them in the most recent search. |
| Quarantined Quantity | The number of results in the selected location which have been quarantined in the most recent search. |
| Recycled Quantity | The number of results in the selected location which have been recycled in the most recent search. |
| Redacted Quantity | The number of results in the selected location which have been redacted in the most recent search. |
| Encrypted Quantity | The number of results in the selected location which have been encrypted in the most recent search. |
| Shredded Quantity | The number of results in the selected location which have been shredded in the most recent search. |
| No Longer Exists Quantity | The number of results in the selected location which no longer exist due to their source file having been deleted outside of Spirion Endpoint application in the most recent search. |
| Access Restricted Quantity | The number of results in the selected location which have had their permissions modified in the most recent search. |
| None Quantity Historical | The number of results in the selected location which have had no action performed on them for all searches. |
| Ignored Quantity Historical | The number of results in the selected location which have had an ignore action performed on them for all searches. |
| Globally Ignored Quantity Historical | The number or results in the selected location which have had a global ignore action performed on them for all searches. |
| Quarantined Quantity Historical | The number of results in the selected location which have been quarantined for all searches. |
| Recycled Quantity Historical | The number of results in the selected location which have been recycled for all searches. |
| Redacted Quantity Historical | The number of results in the selected location which have been redacted for all searches. |
| Encrypted Quantity Historical | The number of results in the selected location which have been encrypted for all searches. |
| Shredded Quantity Historical | The number of results in the selected location which have been shredded for all searches. |
| No Longer Exists Quantity Historical | The number of results in the selected location which no longer exist due to their source file having been deleted outside of Spirion Endpoint application for all searches. |
| Access Restricted Quantity Historical | The number of results in the selected location which have had their permissions modified for all searches. |
| Is Location Action | Used as a method to filter results based on how they were ignored. If they were ignored "By Match" this value returns False. If they were ignored "By Location" this value returns True. You would add this column and mark it as a Hidden column and add a filter of "Is Location Action" to the Filters tab and select either "Is True" or "Is False". |
- Failed Locations Actions: For remediation that was scheduled from the Console.
| Field | Description |
|---|---|
| Location Identifier |
Uniquely identifies a specific location in which the match was found stored in the database. |
| Date/Time | The time stamp, local to the Console, of the most recent failed action on the result. |
| Action | The most recent failed action. |
| Code |
An error code telling why the action on a location failed for the most recent failed action. Each code corresponds to a specific Message. -1: Unknown quarantine error. -2: Quarantine location is not defined. -3: Quarantine Location does not exist. -4: File to quarantine does not exist. -5: The file was copied to the quarantine location but could not be shredded from its original location and now exists in both locations. -6: The quarantine warning text file could not be created. -7: A file by this name already exists in the destination location. -21: Unknown shadow volume shred error. -22: VSS client initialization failure. -23: Attempt to get shadow volume root path failed. -24: Attempt to get shadow volume id failed. -25: Shadow volume shred failed. -51: Unknown ignore error. -52: Failed to create client database location for Console-ignore data. -53: Failed to open client database for Console-ignored data. -54: Failed to add ignore data to client database. -75: Unknown SharePoint item shred error. -100: Unknown Cloud Storage item shred error. Note: Additional operating system specific error codes may also be displayed. |
| Message | The reason why the intended action failed. Each message corresponds to a specific Code. See above. |
| Destination | The intended destination of the result for the most recent failed action. |
| Location Identifier Historical |
Uniquely identifies a specific location stored in the database. |
| Date/Time Historical | The time stamp, local to the Console, for all intended actions. |
| Action Historical | The intended action performed on the result for all failed actions. |
| Code Historical | An error code telling why the action on a location failed for all failed actions. |
| Message Historical | The reason why the action failed for each failed action. |
| Destination Historical | The intended destination of the action for all failed actions. |
- Locations:
| Field | Description |
|---|---|
| Location Identifier |
Uniquely identifies a specific location in which the match was found stored in the database. |
| Location | The full path or other location in which the match was found. This column displays enough information to be able to get back to the source of the result from the machine from which it was found. For example, the file path is relative to the client that ran the search; an email location contains message folder names, time stamps, and subjects; a database location includes table and column information; and a website location includes the full URL. |
| Location Core | The part of the location visible by the OS file system or other storage. |
| Location Type Identifier |
Uniquely identifies a specific location type stored in the database. |
| Location Type | The type of location of the result. For example, PDF File, E-Mail Message or Firefox Browser Data. The location types are displayed as produced by the client performing the search or as normalized by the Map Data function. |
| Location Type General Identifier N |
Uniquely identifies a specific general location type stored in the database. |
| Location Type General | The general type of location of the result. For example, database table instead of the specific type of database. |
| ACL Type | The type of Access Control List for the file. Windows or None are currently the only possible values for this column. |
| File owner | The file system owner for locations that are files. |
| File Size | The file size in bytes. |
| Date/Time Created | The timestamp, local to the client, when the file was created. |
| Date/Time Modified | The timestamp, local to the client, when the file was most recently modified. |
| Date/Time Accessed | The timestamp, local to the client, of when the file was last accessed. |
| Search User Identifier |
Uniquely identifies a specific search user stored in the database. |
| Endpoint Identifier |
Uniquely identifies a specific endpoint stored in the database. |
| Source Endpoint Identifier |
Uniquely identifies a specific source endpoint stored in the database. |
| Source Endpoint Name | The display name of the endpoint which performed the search. |
| Classification | The classification level that has been assigned to the location. |
| Classification Priority | A numerical value representing the priority of the classification with the highest priority being a 0, the next highest priority being a 1, and so on. If you have defined 4 classifications, they are represented in this column as 0-3 with 0 corresponding to the highest priority and 3 corresponding to the lowest priority. |
| Rule | The name of the Workflow rule or rules assigned to the result. |
| Workflow Status |
The current workflow state of the location. The possible values are:
|
| Rules Score | The sum of rules weight per location. |
| Classifications Score | The sum of classifications weights per location. |
| Total Score | The total sum of rule and classifications weights per location. |
| Pending Action | An action that has been scheduled but not yet executed on the endpoint. |
- Users With Location Access: For use when Active Directory (AD) is enabled. These columns only return data with AD enabled and when ACL is reported by the Agent and displays only those users that have permissions to locations. Only Windows Agents pass the necessary information for creating the links required to utilize these columns.
| Field | Description |
|---|---|
| User Identifier |
A count of all users that have ACL access to the location. |
| User Name | The name of the user. |
| User Display Name | The display name of the user. |
| User E-mail | The e-mail address of the user. |
| Last Login | The most recent login date and time of a user. |
| Is Console User | Indicates whether a user is a regular Console user (true) or only synced from AD (false). |
| Location Identifier |
Uniquely identifies a specific location stored in the database. |
- ACL:
| Field | Description |
|---|---|
| Location Identifier |
Uniquely identifies a specific location in which the match was found stored in the database. |
| ACE Index | The index of the ACE (access control entry) that was retrieved. A value of zero corresponds to the first ACE in the ACL, a value of one to the second ACE, and so on. |
| Trustee | The user account, group account, or logon session to which an ACE applies. |
| ACE Type | The type of access control entry: Allowed; Denied or Audit. |
| Authorization | The specific rights which the ACE Trustee has to the file. |
| ACE Flags | Indicates whether the child containers or objects can inherit the access control entry from the primary object to which the ACL is attached. |
- Assignments:
| Field | Description |
|---|---|
| Assignee Identifier |
Uniquely identifies a specific assignee stored in the database. |
| Assignee Name | The name of the Console user, Console role or endpoint owner to whom the location has been assigned. |
| Assignee Type |
The possible values are:
|
| Location Identifier |
Uniquely identifies a specific location in which the match was found stored in the database. |
| Assigned Quantity | The number of locations assigned to the user, role or endpoint owner. |
| Unresolved Quantity | The number locations which are 'Unresolved'. |
| Resolved Quantity | The number of locations which have a status of 'Resolved'. |
- Endpoints:
| Field | Description |
|---|---|
| Endpoint Identifier |
Uniquely identifies a specific endpoint stored in the database. |
| Endpoint Name | The display name of the endpoint on which the results were found. |
| Endpoint GUID | The unique identifier for the endpoint on which the results were found. If the endpoint is unmanaged then this field is blank. |
| IP Address | The Default IP address of the endpoint. If the endpoint is unmanaged then this field is blank. |
| IP Addresses | All IP addresses associated with the endpoint. If the endpoint is unmanaged then this field is blank. |
| MAC Address | The Default MAC address of the endpoint. If the endpoint is unmanaged then this field is blank. |
| MAC Addresses | All MAC addresses associated with the endpoint. If the endpoint is unmanaged then this field is blank. |
| Endpoint Version | The version of the Spirion Endpoint application software installed on the endpoint. If the endpoint is unmanaged then this field is blank. |
| Policies State | The current state of the policies applied to the endpoint. |
| Endpoint Platform | The OS of the endpoint as reported by the Agent. If the endpoint is unmanaged then this field is blank. |
| Platform Type |
The platform on which the selected endpoint is running. The possible values are:
|
| Last Poll Time | The date and time (local to the Console server or GMT as defined on the Personal Settings page) that the endpoint last polled the Console to check for any new information. If the endpoint is unmanaged then this field is blank. |
| E-mail Address | The E-mail Address of the endpoint owner. |
| Tags Hierarchy | Displays the highest tag to which the endpoint is a member. If the endpoint is a member of a nested tag, then this displays the parent tag. If the endpoint belongs to multiple tags, there is a separate row for each tag. |
| Tags Hierarchies | Displays only a single row for every endpoint, separating multiple tag hierarchies with a comma. |
- Endpoint Messages: Endpoint messages provide the ability to report on searches where Outlook was closed or timed out during the search and where the user stopped the search prior to its normal completion.
| Field | Description |
|---|---|
| Endpoint Message Identifier |
Uniquely identifies a specific endpoint message stored in the database. |
| Endpoint Identifier |
Uniquely identifies a specific endpoint stored in the database. |
| Search Identifier |
Uniquely identifies a specific search stored in the database. |
| Message ID | The ID of the Message. The Message ID's and the Messages are: -4 'User stopped search' -3 'Outlook timed out' -2 'Outlook closed' -1 'Outlook closed unexpectedly' |
| Message | The messages produced during the related search. See Message ID for the list of possible messages. |
- Endpoint Activity: For a detailed explanation of these columns, see the Endpoint Status Detail State History.
| Field | Description |
|---|---|
| Endpoint Activity Identifier |
Uniquely identifies a specific endpoint activity stored in the database. |
| Endpoint Identifier |
Uniquely identifies a specific endpoint stored in the database. |
| Date/Time | The time stamp, local to the Console, of the time the task state was updated. |
| State | The state of activity on the client. |
| Code | If there is a problem with a software upgrade that has been initiated from the Console, it displays here. |
| Information | Information regarding the software version of client when an upgrade has been initiated. |
Search Users:
| Field | Description |
|---|---|
| Search User Identifier |
Uniquely identifies a specific search user stored in the database. |
| Search User Name | The user account context under which the search was executed. For User scheduled tasks, this is the user name with which the user logged onto the system. For System scheduled tasks this is SYSTEM for Windows and ROOT for Mac OS and Linux. |
- Tags:
| Field | Description |
|---|---|
| Tag Identifier |
Uniquely identifies a specific tag stored in the database. |
| Endpoint Identifier |
Uniquely identifies a specific endpoint stored in the database. |
| Tag Name | The name of the tag to which the endpoint directly belongs. If the endpoint belongs to multiple tags, there is a separate row for each tag. |
- Top Tags:
| Field | Description |
|---|---|
| Top Tag Identifier |
Uniquely identifies a specific top tag stored in the database. |
| Endpoint Identifier |
Uniquely identifies a specific endpoint stored in the database. |
| Top Tag Name | The top level tag for an endpoint. If the endpoint belongs to a nested tag, this displays the top level tag. |
- Global Ignore Lists:
| Field | Description |
|---|---|
| Ignore List Name | The name of the ignore list. |
| Ignored Match | The specific match that was added to the ignore list. |
| Ignored Data Type Identifier |
Uniquely identifies a specific ignored data type stored in the database. |
| Ignored Data Type | The specific data type that was added to the ignore list. |
| Ignored Match Pattern | The match pattern that was added to the ignore list. |
| Ignored Location | The specific location that was added to the ignore list. |
| Ignored Location Type Identifier |
Uniquely identifies an ignored location type stored in the database. |
| Ignored Location Type | The type of ignored location. |
| Ignored Hash | The file hash that was added to the ignore list. |
- All Users: For use when Active Directory (AD) is enabled. These columns only return data with AD enabled and when ACL is reported by the Agent, and displays users regardless of whether or not they have permissions to locations. These are for the purposes of reporting permissions per users. If permissions to a file are granted to a group, this is resolved to users that are members of that group. Only Windows Agents pass the necessary information for creating the links required to utilize these columns.
| Field | Description |
|---|---|
| User Identifier |
Uniquely identifies a specific user stored in the database. |
| User Name | The name of the user that has permissions to the location, as defined in the User Name field in the User section of the Admin tab. |
| User Display Name | The display name of the user that has permissions to the location, as defined in the Display Name field in the User section of the Admin tab. |
| User E-mail | The E-mail address of the user that has permissions to the location. |
| Last Login | The most recent login date and time of a user. |
| Is Console User | Indicates whether a user is a regular Console user (true) or only synced from AD (false). |
- Console Users: The user must have Assign Role permissions to have access to these report columns.
| Field | Description |
|---|---|
| Console User Identifier |
Uniquely identifies a specific Console user stored in the database. |
| Console User Name | The name of the Console user as defined in the User Name field in the User section of the Admin tab. |
| Console User Display Name | The Console users display name as defined in the Display Name field in the User section of the Admin tab. |
| Console User E-mail | The E-mail address of the Console user. |
| Last Login | The most recent login date and time of a Console user. |
| Permission Identifier |
Uniquely identifies a specific permission stored in the database. |
| Permission Name | The permissions granted to the Console user. |
- Console Roles: The user must have Assign Role permissions to have access to these report columns.
| Field | Description |
|---|---|
| Console Role Identifier |
Uniquely identifies a specific Console role stored in the database. |
| Console User Identifier |
Uniquely identifies a specific Console user stored in the database. |
| Console Role Name | The Console users defined role. Valid values are Administrator and User. |
- Service Tasks: The service tasks displays each of the service tasks, their schedule, status, most recent run date, the user who created it and additional information. Uses Service Tasks entity in reports.
| Field | Description |
|---|---|
| Service Task Identifier |
The Console enables you to specify how often, and when specifically, the Service Task should recur. |
| Type | Uniquely identifies specific tasks in the database. (Export, Importing, etc.) |
| Flags | Information regarding the status of the Service Tasks. (Aborted, In Progress, Remove When Done, etc.) |
| Start Date/Time | The time stamp, local to the client, of the start of the search during which the result was found. This is the time stamp for the first time the match was begun. |
| Last Run Date/Time | The time stamp, local to the client, of the start of the search during which the result was found. |
| Information | Information regarding the client when an upgrade has been initiated. |
- Special Fields: Please refer to Using the Row Number Column in a report for details on how to use this column when creating a report.
| Field | Description |
|---|---|
| Row Number | The sequential row number based on the sorting of your results. If your sort is on a column where every value in that column is identical, then the row number is the same for all rows (i.e. 1). If there is no sorting in your report, then the row number has no practical meaning and shows -1 for all rows. |
- Audit: The Audit report displays information found in the Audit Logging tab.
| Field | Description |
|---|---|
| Date/Time | The time stamp of when the action occurred. |
| Type | The action that was logged. |
| User | The name of the user who initiated the action. |
| Host | The name of the machine as stored internally in the database, on which the action was initiated. |
| IP Address | The IP address of the machine on which the action was initiated. |
| Information | Any additional details about the event. |
- Policy Scheduled Tasks: The Policy Scheduled Tasks report displays information about scheduled tasks.
| Field | Description |
|---|---|
| Scheduled Task Identifier |
Uniquely identifies a policy scheduled task in the database. |
| Task Name | Name of the task. |
| Discovery Team | Discovery team assigned to the task. |
| Distributed Search Type | Displays the distributed search type for discovery team searches. |
| Date/Time | The time stamp the task was created. |
Removing and Reordering Columns
To remove a column from the report, follow any of the following methods:
- Click the red
to the left of the column name in the Selected Columns list. - Alternatively, highlight a column in the Selected Columns list and use the Remove ribbon button in the Columns group or
- Right-click on the column and select Remove.
The columns appear in the report from left to right in the same order that they appear from top to bottom in the Selected Columns list. To change the order of the columns, highlight a column and use the Move Up/Move Down ribbon buttons or right click on a column and select Move Up or Move Down.
Note: A column which has the red X greyed out (
) indicates that column is being used in another report.
Column Properties
When you highlight a column in the Selected Columns list, the Column Properties for that column displays. Depending on the type of the column (e.g., date, count, text), different column properties are available. You can hide the column properties by clicking on the button to the left of the Column Properties label.
- Label: The name of the column as it appears in the report. You may leave this as is or enter your own description.
- Sort: The order by which to sort the column - Ascending, Descending or None.
- Aggregate: A function that can be applied to the data in the column. The available aggregations differ based on column type:
- None: Do not apply any aggregation - display all of the available values.
- Count: Display a count of the number of unique rows rather than each individual value.
- Sum: Add up the individual values for this column and display only a single value - the sum.
- Avg: Add up the individual values for this column, divide by the number of data points, and display only a single value - the average.
- Oldest: Display only the oldest value.
- Newest: Display only the newest value.
- Day: Display only all relevant rows, but display only the day rather than the entire time stamp. This is useful when setting aggregation on another column, for example aggregating match count by sum to see a single row with the relevant Day and a total of all the matches for that day.
- Week: Display only all relevant rows, but display only the week rather than the entire time stamp. This is useful when setting aggregation on another column, for example aggregating match count by sum to see a single row with the relevant Week and a total of all the matches for that week.
- Month: Display only all relevant rows, but display only the month rather than the entire time stamp. This is useful when setting aggregation on another column, for example aggregating match count by sum to see a single row with the relevant Month and a total of all the matches for that month.
- Year: Display only relevant rows, but display only the year rather than the entire time stamp. This is useful when setting aggregation on another column, for example aggregating match count by sum to see a single row with the relevant Year and a total of all the matches for that year.
- Format: A specific formatted string used to format date columns. More detail is available in the following Knowledge Base article: Formatting Dates in Console Reports
- Hidden: All Selected Columns are displayed in the report by default. Checking "hidden" still includes the data from that column when constructing the report, but the column will not be displayed in the report itself. This is useful when using "identifier" columns to establish relationships with other reports.