Search displays results in an Events Timeline and Events table. If connectors are configured to send raw events, the table can include raw event data.
The Events Timeline displays data points in a segmented timeline across the specified time range. The time range in the Timeline corresponds with the data listed in the Events table. If you have a large number of data points or a wide time range, you can see the big, overall picture, but you might not be able to clearly identify specific data points. To narrow the scope of the displayed data, select Enable Range Selector then adjust the boundaries of the selector.
To view the details of a data point or moment in time, select Disable Range Selector, then hover over the data point.
The Events table contains all the fields specified in the fieldset. You can choose to display the table in Grid View or Raw View. To view details of a specific event, select the event. While viewing the table, you can perform the following actions:
When you select an event in the table, Search opens the Event Details panel. Within the panel, you can further expand the fields for more information. For example, you could view details about the agent, category, device, source, or severity. You can also view the raw data in the details.
When you select the Raw View icon, the Events Table replaces the fieldset columns with a Raw Data column, which displays the whole raw syslog event.Although the Raw Event field is most applicable for syslog events, you can also display the raw event associated with CEF events. To do so, make sure the connector that is sending events to the database populates the rawEvent field with the raw event.
Right-click a value in a table row, then select Search for.
Search displays all of the event data that is based on the selected field value.
Right-click a column heading, then select Preview Top/Bottom.
To help filter data for security threats, you can quickly display the most and least common values for a field. Search displays the count and percentage of hits for the value.
For example, the Device Vendor field might have a top value of “bluecoat” with a count of 3,000 hits, accounting for 30 percent of 10,000 results.
Applies only when the fieldset for the original search includes the Device Receipt Time field.
Right-click an IP address or host name, then select Get Authenticated Users.
Search displays users who have successfully authenticated to the IP address or host name in the last 24 hours.
Right-click a column heading, then select Pin Column or Unpin Column.
By pinning a column, you can compare the column’s values against those of other columns. Search moves the pinned column to the extreme left location in the table. You can pin multiple columns.
If you do not want to view a column, right-click the column heading, then select Hide Column.
Alternatively, you can select the Wrench icon, then deselect the column.
To rearrange the order of the columns, drag each column to new position.
Select the up or down arrow in the column heading to change the sort order.
If an event does not have data for a schema field, Search represents the absence of data (null) in the results in the following ways:
|
Affected Field |
Displayed Result |
|---|---|
|
Search field |
Null, NULL and null query formats |
|
Events table |
Empty cell |
|
Empty field from ESM ( for example, name='') |
name = ‘’, NULL |
If the time range for your search is based on a predefined range, such as Last 30 minutes, you can refresh the search results as desired. However, refreshing the browser as you update a search does not save your changes. You must save the refreshed results.