View the Results Table

The search Results Table contains all the fields specified in the fieldset. The dataset contains events associated with the search query and criteria. You can choose to display the table in Grid View or Raw View. You can perform the following actions while viewing the table:

View all details for an event

To view details of a specific event, right-click the event and select Open In Event Inspector. This action opens the Event Inspector in a panel on the right where you can view additional details on the event.

Raw View option for event data

When you click the Raw View icon, the Search Results table replaces the fieldset with a Raw Data column, which displays the whole raw event. Although the Raw Event field is most applicable for syslog events, you can also display the raw event associated with CEF events.

To do so, make sure the connector that is sending events to the database populates the rawEvent field with the raw event.

Field Summary option to filter the search based on a specific field

Clicking the Field Summary icon, Search will display all the fields contained in the search on the left Fields panel, and the number of events returned for each field on the right Summary panel.

The Summary panel contains options to:

  • Display events containing your chosen field. Clicking the icon will automatically run the original query with an added AND filter of the chosen field not equal to NULL

  • Filter the search results based on a specific field value: select the field on the left panel, and the value on the right panel. The original query will be re-run with an added AND filter of the chosen field equal to the selected value

    For example, select Source Port (the field), then select one of the listed port numbers (8081). Search will add the field and value to the query, then automatically filter the displayed results.

  • Top 50 values, which displays the 50 most common values for a field

    For example, the Device Vendor field might have a top value of “bluecoat” with a count of 3,000 hits, accounting for 30 percent of 10,000 results.

  • Bottom 50 values, which displays the 50 least common values for a field

Export all of the search results

You can export all of the results to a .csv by clicking the icon.

Export a single event

You can export a single event as a .csv or a .pdf by right-clicking the event and selecting either Export to PDF or Export to CSV.

Copy a value from an event

To use a value from an event elsewhere, simply right-click and copy the value.

Compare data in columns

Hover over a column heading, then click the Pin icon to pin or unpin a column.

By pinning a column, you can compare the column’s values against those of other columns. Search moves the pinned column to the extreme left location in the table. You can pin multiple columns.

Reorder columns

To rearrange the order of the columns, drag each column to new position by clicking and dragging the column header.

Sort the data in columns

Select the up or down arrow in the column heading to change the sort order.