5.3 Refining Search Results

The search refinement pane to the left of the search results can be used to narrow the search results by selecting one or more values for an event field. Users can refine the results for one or more event fields.

The set of event fields that is displayed in the search refinement pane is configurable on a per-user basis.

For more information on each of these event fields, see Section E.0, Event Fields.

For performance considerations, the maximum sample size used to calculate the event field value statistics is 50,000 events. The actual sample size is displayed in the field count label as:

Field counts based on the first <sample-size> events, where <sample-size> is replaced by the actual sampling size.

To refine search results:

  1. Log in to Novell Sentinel Log Manager.

  2. Run an event search.

    For more information on how to run an event search, see Running an Event Search.

  3. Click fields in the REFINE section.The Select Event Fields window is displayed.

  4. To refine the search, select the event fields from the available fields, and click Save.

    To deselect all the selected event fields, click the Clear all link.

    To undo any changes, and click Cancel.

    The selected event fields are displayed in the REFINE pane.

    A count at the right side of each event field displays the number of unique values that exist for that field in the data directory. The calculation is based on the first 50,000 events found.

    The event field selection is on a per-user basis. Each user can have a different set of selected event fields.

  5. Click each event field to view the unique values for that event field.

    For example, if the search results contain events that had severities 1, 2, 5, and 4, the event field is displayed as Severity (4).

    The top 10 unique values are initially displayed in the order of most frequent to least frequent.

    The value next to the check box represents the unique value for that event field and the value at the far right represents the number of times the value appears in the search result.

    If there are multiple unique values occurring the same number of times in a search, the values are ordered by the most recent occurrence of the value.

    For example, if events of severity 1 and 4 occurred 34 times in the search results, and an event of severity 4 was logged most recently, the unique value 4 appears at the top of the list.

    To display the unique values in the order of least frequent to most frequent, click reverse.

    When there are more than 10 unique values, you can view and filter either the top 10 or the bottom 10 unique values. You are not allowed to refine your search on both the conditions at the same time.

    In following scenarios, the number of events returned from a refinement are greater than the number of values listed for an event field:

    • If the refinement performs a new search with additional terms intersected with the initial search string, such as by using an AND operator, the new search is run against all events in the system, including the result set from the initial search. If new events that came into the system match the refined search, they are shown in the resulting set and the event count is greater than the field value count.

    • If there are more than 50,000 events, the event field statistics is calculated only on the first 50,000 events.

      There could be an event field value that occurs 50 times in the first 50,000 events, but it could occur 1,000 times in all other stored events.In this scenario, the displayed value count is 50, but when the search is refined with this value it returns 1,000 events.

  6. To apply the selected unique values in the search refinement term pop-up, then click OK.

    Selected event field values are listed under the event field in the REFINE pane.

    The right pane displays the refined search results, which contain only the selected values.

  7. Repeat Step 3 through Step 6 to further refine the search.

  8. (Optional) Click clear to clear the selected unique event field values from the REFINE pane and to return to the original search results.

  9. (Optional) Click add to search to add the refined search values to the current search tab and to recalculate the search statistics.

    If you have already added the event field value to the current search tab, clicking clear does not return to the previous search results.