Collapsed GroupBy Tabular results in Log Search

InsightIDR
1

G’day folks,

Since the 16th July 2025 InsightIDR platform update, we’ve spotted an odd change in Log Search:

Run any query with more than three groupby() keys, e.g.
where(event_type=“asset_authentication”)
groupby(destination_user, source_asset, result, source_ip)

The Analysis pane shows each row collapsed, displaying only the first result with an Expand caret for the rest.

The view resets on every refresh, so analysts must click hundreds of rows to view all values depending on the query.

I’ve checked the July 2025 release notes and earlier monthly notes, and I couldn’t see this called out which seems like a significant oversight?

Questions

  • Is the collapse‑by‑default behaviour intentional or a bug?
  • Is there a setting, feature flag or URL parameter to force rows to expand automatically?
  • Any work‑arounds people are using (custom CSS, export, API, etc.)?
  • Rapid7 team: can you confirm whether this is expected and, if so, whether a toggle will be added?

This extra clicking is significantly slowing down investigations for our SecOps team. Any guidance appreciated.

1 Like
2

There seems to be no mention of this in latest release notes.

Can confirm that only 3 parameters are accepted for group_by … this is immensely frustrating as is the “new” UI

3

I just tested this and can still use 5 groupby keys, which was the previous maximum. Can you share some more context about the query you are using?

As for the changes to the collapse by default, vs expand by default, I’ve raised this to our Product and Engineering team to confirm.

David

4

These changes have been reverted as of this morning

Thanks for the valuable feedback!

David

1 Like
5

thank you team :partying_face: