View the Results of a Search

Search results are displayed in an Events Histogram, Search Results table, and Event Inspector panel. If connectors are configured to send raw events, the table and inspector panel can include raw event data. Also, the maximum number of events that a search can return is 10 million, but you can specify a preferred limit. If your searches regularly stop at the maximum limit, consider splitting the query into separate searches.

You can export the search results to a CSV file.

View the Event Histogram
View the Search Results Table
View the Event Inspector

View the Event Histogram

The Histogram displays data in a segmented graph where the y-axis presents the number of events per bars of time segments in the x-axis. The time range on the x-axis might not match the time range specified in the search query because the start and end times on the x-axis are determined by the event times of the first and last matching events of the search query.

Click the menu to the right of the histogram and select either Linear Scale or Log Scale to display the data in your preferred format. As you hover your pointer over the histogram, the bar color directly below the pointer changes and displays a tooltip of the day/date/time of that event range. Click a bar to view event information for a specific time range. Click again to deselect the bar.

Note that some search activities do not require the histogram, and thus it will not be displayed. For example, if you perform an aggregation operation, such as "top" or "bottom," Search will not display the histogram because the Search Results table contains the aggregation of results, not events in a timeline.

How Search builds the histogram

Search progressively builds the histogram as it receives events that match the search settings. If the search needs to scan a large amount of data or a large time period, the histogram displayed initially might refresh multiple times while the search is running. To view the complete histogram of a search, wait until the search has finished running.

Search plots the first one million matching events on the histogram. If a search results exceed one million events, Search displays an informational message. If you need to use the histogram view for event analysis of a search that matches more than one million events, we suggest that you adjust the time range to retrieve fewer than one million events. This will allow you to obtain a complete and meaningful histogram. You can also use a pipeline operator to further refine search results so that the total number of hits is under one million events.

Narrow the scope of the search

If you have a large number of data points or a wide time range, you can see the big, overall picture, but you might not be able to clearly identify specific data points. To narrow the scope of the displayed data, adjust the boundaries of the displayed bars. As you adjust the time range within the Histogram, the Events table displays corresponding events.

Drill down to events

You can drill down to events in a specific time period by clicking the bar on the histogram that represents that time period. The bar you drilled down to is highlighted and the events matching that time period are listed below the histogram. To deselect the time period, click the bar again. When you hover over a histogram bar, the matching events listed below the histogram do not change, and the histogram continues to display all matching events.

View the Search Results Table

The Search Results table contains all the fields specified in the fieldset. You can choose to display the table in Grid View or Raw View. You can perform the following actions while viewing the table:

View all details for an event

To view details of a specific event, right-click the event and select Open In Event Inspector. This action opens the Event Inspector in a panel on the right where you can view additional details on the event.

View raw event data

When you click the Raw View icon, the Search Results table replaces the fieldset with a Raw Data column, which displays the whole raw event. Although the Raw Event field is most applicable for syslog events, you can also display the raw event associated with CEF events.

To do so, make sure the connector that is sending events to the database populates the rawEvent field with the raw event.

Export the search results

To export the results to a CSV file, select .

Export a single event

To export a single event, right-click the event. Then, select either Export to PDF or Export to CSV.

Copy a value from an event

To use a value from an event elsewhere, simply right-click and copy the value.

Compare data in columns

Hover over a column heading, then click the Pin icon to pin or unpin a column.

By pinning a column, you can compare the column’s values against those of other columns. Search moves the pinned column to the extreme left location in the table. You can pin multiple columns.

Reorder columns

To rearrange the order of the columns, drag each column to new position by clicking and dragging the column header.

Sort the data in columns

Select the up or down arrow in the column heading to change the sort order.

View the Event Inspector

The Event Inspector displays additional details on any event you select from the Event table. This panel allows you to scroll through the specific details of the event and groups the details by categories such as Agent and Source. To open the Event Inspector, right-click any event in the Search Results table. Then, select Open in Event Inspector from the pop-up menu.

To view events migrated from Logger, select Logger before creating a search.

You can perform the following functions with the Event Inspector:

Search for fields and values

To search for fields and values in the details of an event, enter a string in the search box at the top of the Event Inspector. The Event Inspector will filter the fields and values to match your search criteria.

Add fields and values to current or new search

You can add event fields and values to your current search or a new search.

Hover over a field (for example, Agent Hostname) to display a check box next to the field. Then, select the check box to select the field and its value. Then, either click the magnifying glass icon at the top of the Event Inspector or right-click your selected field. Both actions display a pop-up menu with the following options:

Create New Search: Selecting this option allows you to create a new search query with the selected event fields and their values. For example, if you selected the field "Name" and its value equals "failed login", then it would display as follows in the new search query: Name = failed login. The new search will open in a new tab on your web browser.
Add to Active Search: Selecting this option adds your selected event fields and their values to the current search query in the search input field. For example, if you selected the field "Name" and its value equals "failed login", the field and value would display as follows in the current search query: <current search query> | where Name = failed login.

Copy and share event detail URL

To share event details with another Analyst, click the Copy URL icon at the top of the Event Inspector. This action copies the URL to your clipboard so you can share it as needed.

Export event details to PDF or CSV

To export event details to a PDF or CSV format, click the Export icon at the top of the Event Inspector. A pop-up menu opens with the options Export to PDF and Export to CSV. Select the option that best meets your needs. You can include or exclude null fields in the exported file.

Expand/collapse and show/hide data fields

The top of the Event Inspector contains an arrow icon that expands and collapses the event details. There is also an eye icon that can show or hide null fields. If you select to display null fields and export the event details to PDF or CSV, the exported file will contain the null fields.