View the Event Inspector

The Event Inspector displays additional details for any event you select from the Results Table. This panel allows you to scroll through the specific details of the event and groups the details by categories such as Agent and Source. To open the Event Inspector, right-click any event in the search Results Table.

To view events migrated from Logger, select Logger before creating a search.

You can perform the following tasks with the Event Inspector:

Search for fields and values

To search for fields and values in the details of an event, enter a string in the search box at the top of the Event Inspector. The Event Inspector will filter the fields and values to match your search criteria.

Add fields and values to current or new search

You can add event fields and values in the Event Inspector to your current search query or a new search query.

Hover over a field (for example, Agent Hostname) to display a check box next to the field. Then, select the check box to select the field and its value. Then, either click the magnifying glass icon at the top of the Event Inspector or right-click your selected field. Both actions display a pop-up menu with the following options:

  • Create New Search

    Allows you to create a new search query with the selected event fields and their values.

    For example, if you selected the field Name and its value equals "failed login", then it would display as follows in the new search query: ...| where Name = "failed login". The new search will open in a new tab on your web browser. If a field is not already present in the fieldset, it will be added to a temporary fieldset.

  • Add to Active Search

    Adds your selected event fields and their values to the current search query in the search input field.

    For example, if you selected the field Name and its value equals "failed login", the field and value would display as follows in the current search query: <current search query> | where Name = "failed login". If a field is not already present in the fieldset, it will be added to a temporary fieldset.

Create a dashboard based on a host or user profile

You can create a dashboard in the Reports Portal that lets you view host and user profile information:

  • View Host Profile

    To view the details of a host, right-click a host name or an IP address.

    For example, right-click a value in the Agent Hostname column. The system launches a dashboard in the Reports Portal for your selection.

  • View User Profile

    To view the details of a user, right-click a source or destination username. The system launches a dashboard in the Reports Portal for your selection

Copy and share event detail URL

To share event details with another Analyst, click the Copy URL icon at the top of the Event Inspector. This action copies the URL to your clipboard so you can share it as needed.

Export event details to .pdf or .csv files

You can export event details from the Event Inspector to store or share information. You have the option to export events in .pdf or .csv format. Additionally, you can include or exclude null fields in the exported file.

Expand/collapse and show/hide data fields

The top of the Event Inspector contains an arrow icon that expands and collapses the event details. There is also an eye icon that can show or hide null fields. If you select to display null fields and export the event details to PDF or CSV, the exported file will contain the null fields.