View and Use the Details of an Event

Right-click an event in the Search Results Table > click Open In Event Inspector.

The Event Inspector opens in a panel that allows you to scroll through the details of an event and groups them by categories such as Agent and Source. Use this panel when you want to research specific details on an event.

You can view the raw data details for the event, as well as instruct the panel to include fields with null data. For example, you could view details about the agent, category, device, source, or severity. You can only open one event in the Event Inspector at a time.

To view events migrated from Logger, select Logger before creating a search.

Search for Event Details
Copy and Share Event Detail URL
Export Event Details to PDF or CSV
Apply Event Details to Current or New Search
View Null Data Fields
Expand or Collapse All Data Fields

Search for Event Details

The top of the Event Inspector contains a search box that allows you to search through the fields in the event details. Use this feature to quickly locate specific details on an event without the need to scroll through the entire Event Inspector.

To search for fields and values in the details of an event, enter a string in the search box at the top of the Event Inspector. The Event Inspector will filter the fields and values to match your search criteria. For example, if you searched the term “device” the panel will display all fields with the name “device” and any fields containing the value “device”.

Copy and Share Event Detail URL

You might want to share the selected event’s details with an Analyst or use the details in a report or other media. You can export all content in the Event Inspector with or without empty values.

Click the Copy URL icon at the top of the Event Inspector to copy the Event Inspector URL to your clipboard. Then, you can share the URL as needed. When an Analyst loads the URL, the Event Inspector will open in their browser with the event details related to the URL.

This action is helpful in situations where you need an Analyst to research an event further or for reporting purposes.

Note: The Event Inspector URL contains the event's ID (id field in the Search Results table) and global event ID (geid field in the Search Results table). See the table below for an example and variations of the Event Inspector URL format. Use these formats to create the URL.

If the geid is missing in the URL, an error message will display.

Event Inspector URL	Example
Full Event Inspector URL	/rec/fusionSearch/eventsInspector/?eventsTable=Recon&id=5139791690&geid=3009625190352082178
geid and id only	/rec/fusionSearch/eventsInspector/?id=5139791690&geid=3009625190352082178
geid only	/rec/fusionSearch/eventsInspector/?geid=3009625190352082178

Export Event Details to PDF or CSV

There may be situations where you need to use event details for reporting purposes. Or, you may need to share the event details with an Analyst who does not have access to the Event Inspector. You can do so by exporting the event details to PDF or CSV. Follow these steps:

At the top of the Event Inspector, click the Export icon.
A pop-up menu appears. Click either Export to PDF or Export to CSV.
Both selections will start a download of the event details to your selected format.
Share or use the PDF or CSV as needed.

If the option to show null values is selected, those null values are included in the exported CSV or PDF file. If null values are excluded, they will not appear in the exported file.

NOTE: You can also export an event to PDF or CSV from the Search Results Table. Right-click an event in the Search Results table to open a pop-up menu with the options Export to PDF and Export to CSV. If you use this method to export the event details, null values will be included in the exported file.

Apply Event Details to Current or New Search

You can add the field and value pairs in the event details to your current search or a new search. This action is helpful in situations where you need to research more data on a specific event. After adding a field and value pair to a current search or new search, you might need to add the respective field to the search fieldset if that field is not already part of the fieldset.

Hover over a field in the Event Inspector (for example, Agent Hostname) to display a check box next to the field. Then, select the check box to select the field and its value. From here, do one of the following actions:

Right-click the selected event field
Click the magnifying glass icon at the top of the Event Inspector

Both actions display a pop-up menu with the following options:

Create New Search: Selecting this option allows you to create a new search query with your selected event fields and their values. For example, if you selected the field "Name" and its value equals "failed login", then it would display as follows in the new search query: | where Name = failed login.
Add to Active Search: Selecting this option adds your selected event fields and their values to the current search query in the search input field. For example, if you selected the field "Name" and its value equals "failed login", the field and value would display as follows in the current search query: <current search query> | where Name = failed login.

Once you’ve performed a new search with the selected field and value pairs, the Event Timeline and Search Results table will filter to display data related to your new search.

View or Hide Null Data Fields

To show or hide fields with null data, click the eye icon at the top of the Event Inspector. Hiding the null fields filters your view of the event details to show only fields with data. Use this feature if you want to see only fields with data in the event details.

Expand or Collapse All Data Fields

Next to the eye icon at the top of the Event Inspector is an Expand All/Collapse All icon. Click this icon to expand the fields in the Event Inspector to show all values related to the fields. Or click it to hide the values related to the fields and display only the field names.