View and Use the Details of an Event

To open the Event Inspector, right-click any event in the search Results Table.

The Event Inspector opens in a panel that lets you to scroll through the details of an event and groups them by categories such as Agent and Source. Use this panel when you want to research specific details on an event. You can view the raw data details for the event, as well as instruct the panel to include fields with null data. For example, you could view details about the agent, category, device, source, or severity. You can only open one event in the Event Inspector at a time.

Search for Event Details
Copy and Share Event Detail URL
Export Event Details to PDF or CSV
Apply Event Details to Current or New Search
View Null Data Fields
Expand or Collapse All Data Fields

To view events migrated from Logger, select Logger before creating a search.

Search for Event Details

The top of the Event Inspector contains a search box that allows you to search through the fields in the event details. Use this feature to quickly locate specific details on an event without the need to scroll through the entire Event Inspector.

To search for fields and values in the details of an event, enter a string in the search box at the top of the Event Inspector. The Event Inspector will filter the fields and values to match your search criteria. For example, if you searched the term “device” the panel will display all fields with the name “device” and any fields containing the value “device”.

Copy and Share Event Detail URL

You might want to share the selected event’s details with an Analyst or use the details in a report or other media. You can export all content in the Event Inspector with or without empty values. The Event Inspector URL contains the event's ID (id field in the Search Results table) and global event ID (geid field in the Search Results table). See the table below for an example and variations of the Event Inspector URL format. Use these formats to create the URL.

Click the Copy URL icon at the top of the Event Inspector to copy the Event Inspector URL to your clipboard. Then, you can share the URL as needed. When you load the URL, the Event Inspector open in the browser with the event details related to the search. This action is helpful in situations where you need to research an event further or for reporting purposes.

If the geid is missing in the URL, an error message will display.

Event Inspector URL	Example
Full Event Inspector URL	/rec/search/eventsInspector/?eventsTable=Recon&id=5139791690&geid=3009625190352082178
geid and id only	/rec/search/eventsInspector/?id=5139791690&geid=3009625190352082178
geid only	/rec/search/eventsInspector/?geid=3009625190352082178

Export Event Details to PDF or CSV

There may be situations where you need to use event details for reporting purposes. Or you might need to share the event details with an analyst who does not have access to the Event Inspector. You can do so by exporting the event details to .pdf or .csv files.

Apply Event Details to Current or New Search

You can add event fields and values in the Event Inspector to your current search query or a new search query. This action is helpful in situations where you need to research more data on a specific event.

Hover over a field in the Event Inspector (for example, Agent Hostname) to display a check box next to the field. Then, select the check box to select the field and its value. From here, do one of the following actions:

Right-click the selected event field
Click the magnifying glass icon at the top of the Event Inspector

Both actions display a pop-up menu with the following options:

Create New Search: Selecting this option allows you to create a new search query with your selected event fields and their values. For example, if you selected the field Name and its value equals "failed login", then it would display as follows in the new search query: ...| where Name = "failed login". If a field is not already present in the fieldset, it will be added to a temporary fieldset.
Add to Active Search: Selecting this option adds your selected event fields and their values to the current search query in the search input field. For example, if you selected the field Name and its value equals "failed login", the field and value would display as follows in the current search query: <current search query> | where Name = "failed login". If a field is not already present in the fieldset, it will be added to a temporary fieldset.

Once you’ve performed a new search with the selected field and value pairs, the Event Timeline and Search Results table will filter to display data related to your new search.

Create a Dashboard Based on a Host or User Profile

You can create a dashboard in the Reports Portal that lets you view host and user profile information.

View Host Profile: To view the details of a host, right-click a host name or an IP address. For example, right-click a value in the Agent Hostname column. The system launches a dashboard in the Reports Portal for your selection.
View User Profile: To view the details of a user, right-click a source or destination username. The system launches a dashboard in the Reports Portal for your selection.

View or Hide Null Data Fields

To show or hide fields with null data, click the eye icon at the top of the Event Inspector. Hiding the null fields filters your view of the event details to show only fields with data. Use this feature if you want to see only fields with data in the event details.

Expand or Collapse All Data Fields

Next to the eye icon at the top of the Event Inspector is an Expand All/Collapse All icon. Click this icon to expand the fields in the Event Inspector to show all values related to the fields. Or click it to hide the values related to the fields and display only the field names.