The Search Results

The search results table displays the number of events scanned, the number of events found, the index status of each event type, and execution time. Each event is available in its raw form or parsed data. By default, the parsed data is displayed.

Below the histogram, events are shown in table form, one row per event. In the Analyze > Search page, the view menu bar allows the user to review the data in 3 different ways as described below. Next to the view menu bar, you can see the total number of events scanned and displayed and the time it took to execute the search.

RAW view: It only exhibits the Logger and Raw Data along with Event Time, Receipt Time and DeviceReceiptTime.
Column View: It displays events per columns.
Grid View: This is the view where events are distributed per rows. It permits comparison between specific (CEF and non-CEF) events in a pivot table format. Within this view, you can also access the following information:

Event Details: This emergent window appears by clicking on the event and it shows the raw event, agent, destination, device, deviceCustom, extra fields and root data. In this window, these icons:

allow you to review first, previous, next and last event information as well as show/ hide null fields, and expand / collapse categories. This emergent window can be closed at any time.

Note: If more than 1 event is selected in the grid view, this window is not displayed. Logger will enable the Compare Events window instead.
Compare Events: This emergent window compares from 2 to 10 events per column. This window can be minimized, maximized, or closed as appropriate.
Show/ Hide RAW: When the grid view is active, click the arrow on the top left side of the table to view the raw data for all events. Click the arrow to hide the events. To view the specific event raw data, click the arrow icon on each event.

On top of the histogram, you can hide or show the histogram information by clicking the arrows accordingly.

Terms that match your query are highlighted. As you move through other terms in the events table, those will be highlighted too, both raw data and the other values displayed in the column. You can point to and highlight any matching results along the whole table and not just the columns.

Tip: In the Search page, you can also add highlight terms into your search by simply clicking on the term. The item will be automatically added into the search box.

You can drill down into the displayed search results by clicking a green-highlighted term to add it to the current query. For example, if you search for “login” and roll over the word “fail” in the search results, “fail” will highlight in green. Click the word “fail” to change the query to “login AND fail.”

By default, a Field Summary panel is displayed on the left side of the matched events. This section lists the fields that occur in matching events and the number of unique values for each in those events. For more information, see The Field Summary Panel.