Query Viewers as a replacement for Active Channels?

Could you use a Query Viewer to (generically speaking) replace some of the initial visibility you get from an Active Channel. The TLDR summary is below.

As the primary content creator for our ArcSight install and since my ArcSight users don’t always have their consoles open, I often think about how best to get them to actionable data and to the point where they can dynamically interact with it in the shortest amount of time. You generally have data in Active Channels and data in Dashboards – with a sort of gulf between them. 4.5 brought an interesting feature with Query Viewers. Among other uses is the ability to tie multiple queries into a QV. Most often we use this for linking multiple buckets (Trends) of data. I see Bob’s computer/IP doing something in this bucket and with a simple right click and investigate I can see if that same IP shows up in another bucket.

The more I use ACs now though, the more I want them to act or at least have the functionality of QV. To that end I went about creating a QV that pulled 3 hours worth of events and didn’t update as a first pass at a replacement mechanism for an AC. My thought was while I would lose some of the extensibility I could at least link a number of the “buckets” I wanted to have visibility into.

TLDR Summary

I found the following issues impeded the overall goal. Others could be added to the list but then you get to the point where you might as well use an AC anyway given all that you CAN do with them.
• When you close a QV investigation panel you aren’t returned to your initial DB/QV – you are taken to the last tab in the Navigator pane on the right. This is kinda a pain if you are trying to do a quick drilldown and then get back to what you are looking at.
• QVs don’t have a horizontal scroll bar. This becomes an issue if you are trying to resize fields with long strings or if you have more than about 5 fields you want to pull up (note last bullet)
• You can’t adjust the relative position of QV drilldowns. The first one you put in is the first on the list etc. Is a pain if after you throw in a couple and want to organize it.
• The real kicker is if you have more fields in your QV then you are initially showing if you go to add them to the display while you are viewing the QV the console will lock up. At least that is what mine does. For example, I will always want to see fields like source/dest IP. I sometimes want to see zone name. My thought was to add the zone names to the QV but not initially display them.

It will be interesting to see what happens to QV in the next installment of the ESM. Hopefully some of these issues will be addressed.