5.2 Viewing Search Results

Searches return a set of events. You can view the search results in the basic view or in the advanced view.

When results are sorted by relevance, only the top 50,000 events can be viewed. When they are sorted by time, all the events in the system are displayed.

5.2.1 Basic Event View

The information in each event is grouped into General Event information, Initiator information, Target information, Observer Information, Reporter information, and Customer values and retention policy information.

To view the raw data information:

  1. Launch the Event Source Management (Live View) window.

  2. Select the Open Raw Data Tap option to display the Raw Data window.

    You can view the detailed information in the Raw Data Details section.

NOTE:You must have the necessary permissions to view all data. For more information, see Section 10.1.3, Setting Permissions

Occasionally, the search engine might index events faster than they are inserted into the data directory. If you run a search that returns events that were not added the data directory, you get a message indicating that some events match the search query, but they are not found in the data directory. If you run the search again later, the events are added to the data directory and the search is shown as successful.

5.2.2 Event View with Details

  1. To view details about all events, click the all details link at the top of the search results page.

    You can expand or collapse the details for all events on a page by using the all details++ or all details-- link.

  2. To view details such as the Message, Event ID, and default data retention duration information for any individual event, click the details+ link next to the event.

    You can expand or collapse the information for the events by clicking the details+ or details- link.

  3. Click the show extended info link to view additional details of the events.

    You can expand or collapse this information by using the show extended information or hide extended information links.

    The detailed view displays information such as the Source IP address, Rawdata Record ID, Collector Script, Collector name, Collector Manager ID, Connector ID, and Event Source ID information for the incoming events.

    • Rawdata Record ID: Displays the raw data record ID and provides information about the raw data record that initiated the event.

    • Collector Plugin: Displays the name of the collector plug-in script.

    • Collector: Displays the name of the collector.

    • Collector Manager ID: Displays the name of the Collector Manager.

    • Connector ID: Displays the name of the Connector.

    • Event Source ID: Displays the name of the Collector Manager.

    If the Collector, Collector Manager, Connector, and EventSource plug-in instances are deleted, the IDs are displayed instead of the names.

  4. Click the show all fields link to view information about all associated fields for the particular event.

    The list shows only the event fields that have values.

  5. (Optional) Click the get raw data link to open a new Raw Data tab with event source hierarchy and event source fields populated, based on the information received from the event.

    NOTE:You must have the necessary permissions to perform this step. For more information, see Section 10.1.3, Setting Permissions

    If the search result is a system or an internal event, the get raw data link does not appear.

    To verify and download the raw data files, see Section 3.5, Verifying and Downloading Raw Data Files.