Search displays results in an Events Timeline, Events table, and Event Details panel. If connectors are configured to send raw events, the table and details panel can include raw event data. Also, the maximum number of events that a search can return is 10 million. If your searches regularly stop at the maximum limit, consider splitting the query into separate searches.
The Events Timeline displays data points in a segmented timeline across the specified time range. The time range in the Timeline corresponds with the data listed in the Events table. If you have a large number of data points or a wide time range, you can see the big, overall picture, but you might not be able to clearly identify specific data points. To narrow the scope of the displayed data, select Enable Range Selector then adjust the boundaries of the selector.
To view the details of a data point or moment in time, select Disable Range Selector, and then hover over the data point.
The Events table contains all the fields specified in the fieldset. You can choose to display the table in Grid View or Raw View. To view details of a specific event, select the event. While viewing the table, you can perform the following actions:
When you select an event in the table, Search opens the Event Details panel. Within the panel, you can further expand the fields for more information.
When you select the Raw View icon, the Events table replaces the fieldset columns with a Raw Data column, which displays the whole raw syslog event.Although the Raw Event field is most applicable for syslog events, you can also display the raw event associated with CEF events. To do so, make sure the connector that is sending events to the database populates the rawEvent field with the raw event.
Right-click a value in a table row, then select Search For.
Search displays all of the event data based on the selected field value.
Right-click a column heading, then select Preview Top/Bottom.
To help filter data for security threats, you can quickly display the most and least common values for a field. Search displays the count and percentage of hits for the value.
For example, the Device Vendor field might have a top value of “bluecoat” with a count of 3,000 hits, accounting for 30 percent of 10,000 results.
Applies only when the fieldset for the original search includes the Device Receipt Time field.
Right-click an IP address or host name, then select Get Authenticated Users.
Search displays users who have successfully authenticated to the IP address or host name in the last 24 hours.
To use a value from an event elsewhere, simply right-click and copy the value.
To add a value from an event to your query, right-click the value.
Right-click a column heading, then select Pin Column or Unpin Column.
By pinning a column, you can compare the column’s values against those of other columns. Search moves the pinned column to the extreme left location in the table. You can pin multiple columns.
If you do not want to view a column, right-click the column heading, then select Hide Column.
Alternatively, you can select the Wrench icon, and then select the column.
To rearrange the order of the columns, drag each column to new position.
Select the up or down arrow in the column heading to change the sort order.
When you select an event in the Events table, Search opens the Event Details panel. In this panel, you can scroll through the specific details of the event. Search groups the details by categories such as Agent and Source. You can view the raw data details for the event, as well as instruct the panel to include fields with null data. For example, you could view details about the agent, category, device, source, or severity. Details displayed in blue text are part of the query filter.
You might want to share the selected event’s details with a colleague or use the details in a report or other media. You can export all content in the Event Details panel with or without empty values.
Search allows you to copy the URL of a detail to share with colleagues or open in a separate browser tab. You can also choose to use the detail in a new search query and in an nslookup or WhoIs search For example, you might select a domain name and use a nslookup to check whether the domain is valid.
If an event does not have data for a schema field, Search represents the absence of data (null) in the results in the following ways:
|
Affected Field |
Displayed Result |
|---|---|
|
Search field |
Null, NULL and null query formats |
|
Events table |
Empty cell |
|
Empty field from ESM (for example, name='') |
name = ‘’, NULL |
|
Event Details pane |
--- in the cell |
If the time range for your search is based on a predefined range, such as Last 30 minutes, you can refresh the search results as desired. However, refreshing the browser as you update a search does not save your changes. You must save the refreshed results.
Search assigns a unique Search Results ID, which is a link to the temporary table containing the search results that you see in the Events table. You can copy the ID to build a report around those events. You can also build a report based on the Search Results ID for a completed run of a scheduled search.
In the table’s header, select the Copy icon.
(Optional) To view or save the copied ID, paste the ID in a text editor.
Select Reports > Designer.
For Select a data source, paste the copied ID.
Complete the report design.