Open topic with navigation

Live Event Viewer

The Live Event Viewer provides a real-time view of the incoming events that match the criteria you specify. This functionality is useful in environments where the need to view an event quickly is important; for example, a financial institution might be interested in viewing a specific transaction type as soon as it occurs. Because the latency between the events arriving at Logger and the display time is short, events might not have been indexed on Logger before being displayed.

The Live Event Viewer is composed of two tabs—Search Composer and Search Results. The Search Composer defines the search criteria and the Search Results tab displays the matching events in real time.

The following figure shows the Search Composer. If you specify more than one search term, the resulting query uses the AND operator to combine them. For example, if the first search term searches for “failure” and the second one excludes “admin,” the resulting query is “failure AND NOT admin.”

Search Composer

Search Composer Legend

Feature	Description	Feature	Description
	Load a saved filter Save the current filter Add a filter row Remove a filter row Remove all filters		Specify device groups Specify storage groups
	Enter search criteria		Start or Stop Live Event Viewer

The Search Results tab provides the Play, Pause, Stop, Clear, and Export buttons that enable you to control the display in a manner similar to any electronic device, as shown in the following figure.

Search Results Tab

Search Results Legend

Feature	Description	Feature	Description
	Play / Pause / Stop / Delete / Export		Events scanned so far
	Filter specified in Search Composer		Events display maximum
	Current state		Search timer
	Events found so far		Matching event number

The following list highlights the features of Search Results display:

• Events are displayed in the raw event format and not in the columnar, table form as displayed in the Search Results page (Analyze > Classic Search) when you run a search query.
• A user can launch a maximum of one Live Event Viewer. There can be a maximum of five Live Event Viewers running on Logger at any time.
• The regular expression search method is used to identify matching events. Therefore, you can specify regular expressions as the search term in the Search Composer.
• Buffer Size defines the maximum number of events displayed in the Viewer. By default, the Buffer Size is 1000; however, it can be set to any number between the range of 20 and 5000.
• By default, the search is run for 15 minutes and then stopped to preserve system resources. If you need to run the search for longer than 15 minutes, click the icon next to the countdown timer to reset the timer to 15 minutes.
• When you click Pause, the Search Results display is frozen. However, the search operation continues in the background and the new matching events are buffered until a maximum of 1000 events have been buffered or the search timer, which continues to count down even when the Search Results display is frozen, reaches 00:00.
• If the timer has not reached 00:00, you can click Play to resume the paused search operation. When you click Play, the buffered events are displayed. The newly found events are appended to the previously found events on the Search Results display screen.
• When you click Stop, the search for matching events and the countdown of the search timer stop. When you click Play, the search is started afresh—the currently displayed events are cleared from the Search Results screen, the search timer is reset to 15 minutes, and the search starts again.
• You must stop the search operation to export the matching events.

To launch a Live Event Viewer:

1. Open the Analyze menu and click Live Event Viewer.

2. In the Search Composer tab, enter the search terms or click the () icon to select a saved filter.

   Tip: A filter cannot be saved without search parameters. If the search field is empty, the system will display an error.

   You can enter search terms that the event must contain (Search For:) or terms that the events must not contain (Exclude From Search:). Click the “Search For:” field to display a drop-down list from which you can select “Exclude From Search:”.

   If you specify more than one search term, Logger uses the AND operator to combine them in the resulting search query.

• To add additional search term click the () icon.
• To remove a search term, click the () icon.
• To remove all search terms, click the () icon.
3. Enter constraints to limit your search to specific device groups, devices, or storage groups in the “Where do you want to look?” section. Click the () icon to display a list from which you can choose the constraints.
4. Click Start.
5. The search results are automatically displayed in the Search Results display screen.

To update the Live Event Viewer query:

1. In the Search Composer tab of the Live Event Viewer, update the search terms.
2. Click Stop first and then click Start to start search using the new search terms.

To export Search Results display:

1. Make sure you have stopped the Live Event Viewer. To do so, click the () icon in the Search Results display window.
2. Click the () icon to open the Export Options window.
3. To export the displayed search results, select the Export options, as described in To export the results of your search: then click Export.