Searches return a set of events. You can view the search results in the basic view or in the advanced view.
When results are sorted by relevance, only the top 50,000 events can be viewed. When they are sorted by time, all the events in the system are displayed.
The information in each event is grouped into General Event information, Initiator information, Target information, Observer Information, Reporter information, and Customer values and retention policy information.
To view the raw data information:
Launch the Event Source Management (Live View) window.
Select theoption to display the window.
You can view the detailed information in thesection.
NOTE:You must have the necessary permissions to view all data. For more information, see Section 10.1.3, Setting Permissions.
Occasionally, the search engine might index events faster than they are inserted into the data directory. If you run a search that returns events that were not added the data directory, you get a message indicating that some events match the search query, but they are not found in the data directory. If you run the search again later, the events are added to the data directory and the search is shown as successful.
To view details about all events, click thelink at the top of the search results page.
You can expand or collapse the details for all events on a page by using theor link.
To view details such as the Message, Event ID, and default data retention duration information for any individual event, click the+ link next to the event.
You can expand or collapse the information for the events by clicking theor link.
Click thelink to view additional details of the events.
You can expand or collapse this information by using theor links.
The detailed view displays information such as the Source IP address, Rawdata Record ID, Collector Script, Collector name, Collector Manager ID, Connector ID, and Event Source ID information for the incoming events.
Rawdata Record ID: Displays the raw data record ID and provides information about the raw data record that initiated the event.
Collector Plugin: Displays the name of the collector plug-in script.
Collector: Displays the name of the collector.
Collector Manager ID: Displays the name of the Collector Manager.
Connector ID: Displays the name of the Connector.
Event Source ID: Displays the name of the Collector Manager.
If the Collector, Collector Manager, Connector, and EventSource plug-in instances are deleted, the IDs are displayed instead of the names.
Click thelink to view information about all associated fields for the particular event.
The list shows only the event fields that have values.
(Optional) Click thelink to open a new tab with event source hierarchy and event source fields populated, based on the information received from the event.
NOTE:You must have the necessary permissions to perform this step. For more information, see Section 10.1.3, Setting Permissions.
If the search result is a system or an internal event, thelink does not appear.
To verify and download the raw data files, see Section 3.5, Verifying and Downloading Raw Data Files.
On systems running with the free license, events that are received while the system averages more than 25 EPS are tagged with the OverEPSLimit tag. These events are displayed as Over EPS Limit in the search results, and the details of such events are not accessible until you upgrade the system with the enterprise license.
The following image shows a sample search result that includes the OverEPSLimit tagged events:
Figure 5-2 Search Results with Tagged Events
After you upgrade the system with the enterprise license, the full details of all the tagged events are available when you perform the search again. You can use the OverEPSLimit tag to specifically search for any such tagged events by adding rv145:OverEpsLimit to the search criteria.