View the Results of a Search

Search displays results in an Events Histogram, Events table, and Event Details panel. If connectors are configured to send raw events, the table and details panel can include raw event data. Also, the maximum number of events that a search can return is 10 million, but you can specify a preferred limit. If your searches regularly stop at the maximum limit, consider splitting the query into separate searches.

You can export the search results to a CSV file.

• View the Events Timeline

• View the Events Table

View the Events Timeline

The Events Timeline displays data points in a segmented timeline across the specified time range. The time range in the Timeline corresponds with the data listed in the Events table.

If you have a large number of data points or a wide time range, you can see the big, overall picture, but you might not be able to clearly identify specific data points. To narrow the scope of the displayed data, select Enable Range Selector then adjust the boundaries of the selector.

To view the details of a data point or moment in time, select Disable Range Selector, and then hover over the data point.

 

View the Events Table

The Events table contains all the fields specified in the fieldset. You can choose to display the table in Grid View or Raw View. To view details of a specific event, select the event.

The following actions can be performed while viewing the table:

View all details for an event

When you select an event in the table, Search opens the Event Details panel. Within the panel, you can further expand the fields for more information.

View raw event data

When you click the Raw View icon, the Events table replaces the fieldset columns with a Raw Data column, which displays the whole raw event.

Although the Raw Event field is most applicable for syslog events, you can also display the raw event associated with CEF events.

To do so, make sure the connector that is sending events to the database populates the rawEvent field with the raw event.

Export the search results

To export the results to a CSV file, select .

Copy a value from an event

To use a value from an event elsewhere, simply right-click and copy the value.

Compare data in columns

Right-click a column heading, then select Pin Column or Unpin Column.

By pinning a column, you can compare the column’s values against those of other columns. Search moves the pinned column to the extreme left location in the table. You can pin multiple columns.

Remove or hide columns

If you do not want to view a column, right-click the column heading, then select Hide Column.

Alternatively, you can click the Wrench icon, and then select the column.

Reorder columns

To rearrange the order of the columns, drag each column to new position.

Sort the data in columns

Select the up or down arrow in the column heading to change the sort order.