View the Results of a Search

Search displays results in an Events Histogram, Search Results table, and Event Details panel. If connectors are configured to send raw events, the table and details panel can include raw event data. Also, the maximum number of events that a search can return is 10 million, but you can specify a preferred limit. If your searches regularly stop at the maximum limit, consider splitting the query into separate searches.

You can export the search results to a CSV file.

• View the Histogram

• View the Search Results Table

View the Histogram

The Histogram displays data in a segmented graph where the y-axis presents the number of events per bars of time segments in the x-axis. The time range on the x-axis might not match the time range specified in the search query because the start and end times on the x-axis are determined by the event times of the first and last matching events of the search query.

Click the menu to the right of the histogram and select either Linear Scale or Log Scale to display the data in your preferred format. As you hover your pointer over the histogram, the bar color directly below the pointer changes and displays a tooltip of the day/date/time of that event range. Click a bar to view event information for a specific time range. Click again to deselect the bar.

Note that some search activities do not require the histogram, and thus it will not be displayed. For example, if you perform an aggregation operation, such as "top" or "bottom," Search will not display the histogram because the Search Results table contains the aggregation of results, not events in a timeline.

How Search builds the histogram

Search progressively builds the histogram as it receives events that match the search settings. If the search needs to scan a large amount of data or a large time period, the histogram displayed initially might refresh multiple times while the search is running. To view the complete histogram of a search, wait until the search has finished running.

Search plots the first one million matching events on the histogram. If a search results exceed one million events, Search displays an informational message. If you need to use the histogram view for event analysis of a search that matches more than one million events, we suggest that you adjust the time range to retrieve fewer than one million events. This will allow you to obtain a complete and meaningful histogram. You can also use a pipeline operator to further refine search results so that the total number of hits is under one million events.

Narrow the scope of the search

If you have a large number of data points or a wide time range, you can see the big, overall picture, but you might not be able to clearly identify specific data points. To narrow the scope of the displayed data, adjust the boundaries of the displayed bars. As you adjust the time range within the Histogram, the Search Results table displays corresponding events.

Drill down to events

You can drill down to events in a specific time period by clicking the bar on the histogram that represents that time period. The bar you drilled down to is highlighted and the events matching that time period are listed below the histogram. To deselect the time period, click the bar again. When you hover over a histogram bar, the matching events listed below the histogram do not change, and the histogram continues to display all matching events.

 

View the Search Results Table

The Search Results table contains all the fields specified in the fieldset. You can choose to display the table in Grid View or Raw View. To view details of a specific event, select the event.

The following actions can be performed while viewing the table:

View all details for an event

When you select an event in the table, Search opens the Event Details panel. Within the panel, you can further expand the fields for more information.

View raw event data

When you click the Raw View icon, the Search Results table replaces the fieldset columns with a Raw Data column, which displays the whole raw event.

Although the Raw Event field is most applicable for syslog events, you can also display the raw event associated with CEF events.

To do so, make sure the connector that is sending events to the database populates the rawEvent field with the raw event.

Filter the search based on values in a field

When you click the Field Summary icon, Search displays all the fields in the search and the number of events per each value returned for that field.

To filter the search results based on a field, select the field. To filter based on a <field><value> pair, select the field then the value. Next, click .

For example, select Source Port (the field), then select one of the listed port numbers (the value). Search will add the field and value to the query, then automatically filter the displayed results.

Export the search results

To export the results to a CSV file, select .

Copy a value from an event

To use a value from an event elsewhere, simply right-click and copy the value.

Compare data in columns

Right-click a column heading, then select Pin Column or Unpin Column.

By pinning a column, you can compare the column’s values against those of other columns. Search moves the pinned column to the extreme left location in the table. You can pin multiple columns.

Remove or hide columns

If you do not want to view a column, right-click the column heading, then select Hide Column.

Alternatively, you can click the Wrench icon, and then select the column.

Reorder columns

To rearrange the order of the columns, drag each column to new position.

Sort the data in columns

Select the up or down arrow in the column heading to change the sort order.