The magic happens when the URI API is used to enable users of web applications to jump into prebuilt investigations with just one click.

Consider the following URL for triggering a phone history check:

/pivot/template?investigation=453d190914cf9fa0&pivot[0][events][0][phone]=1.800.555.5555&time=1504401120.000&before=-1d&after=+1d&name=Phone-History-555-5555

This URL: Instantiates template `453d190914cf9fa0`, names it `Phone-History-555-5555`, overrides the global time range to center at `1504401120` (epoch time) and runs searches +/- 1 day from then. The first pivot will be populated with one record, and that record will have field `phone` mapped to the string `"1.800.555.5555"`.

FIELD	OPTIONAL	DEFAULT	FORMAT	NOTES
investigation	required		ID	Get template ID from its URL. Ex: 453d190914cf9fa0
name	optional	"Copy of [template name]"	String	Recommend using a short standard pattern to group together ("[Phone History] ...")
time	optional	now	Number of string	Epoch time (number) or best-effort if not a number. Ex: 1504401120
before	optional	-7d	[+/-][number][ms/s/min/h/d/w/mon/y]	Ex: -1d
after	optional	+0d	[+/-][number][ms/s/min/h/d/w/mon/y]	Ex: +3min
pivot	optional		see below	see below

URL parameter `pivot` follows one of the two following formats:

• `[step][field]`b, e.g., `pivot[0][index]=index%3Dalerts`, the URI-encoded form of string `"index=alerts"`
• `[step][field][list_index][record_field]`, e.g., `pivot[0][events][0][phone]=1-800-555-5555` sets the first step's events to JSON list `[ {"phone": "1-800-555-5555"} ]`

You can therefore set or override most investigation step values, not just the first one. Likewise, if you want to trigger an investigation over multiple values, you can provide a list of them.