The Search Results page displays the events from the selected data source servers and the local server, based on the search criteria you specified. Each event displays the data source server information from which the event is being retrieved.
You can expand the event results to see the details by clicking the All link.
For non-internal events, the get raw data link is displayed. You can view the raw data only if your role's security filter is set to view all event data.
NOTE:For search results that come from the data source servers, the role that is used to retrieve raw data is not the role of the logged-in user that is performing the search on the authorized requestor server, but the role that is assigned to the authorized requestor server on the data source server.
You can view the status of the search in the extended status page while a search is in progress as well as when the search has finished. To access the extended status page, click the Displaying N of M events from X data sources link that appears at the top of the refinement panel.
The extended status page displays the following information:
Data Source Name: The descriptive name of the data source server. If you did not specify a descriptive name for the data source server, this field displays the IP address or DNS name of the data source server.
Events Available: Indicates the number of events that have actually been retrieved from the data source server. The value is displayed as N of M events available, where N is the number of events that have been retrieved so far and M is the total number of events on the data source server that match the search criteria.
Retrieval Rate (EPS): An approximate rate of how fast the events were retrieved from a specific data source server.
Status: Displays the error messages, if any (generally in red). In addition to error messages, this field also displays the status of the search.
Running: Indicates that the search is still running on the data source server.
Buffering events for display: Indicates that the search is finished on the data source server, but the authorized requestor server is retrieving events from the data source server and buffering them for display.
Paused buffering events for display: Indicates that the search is finished on the data source server, and the authorized requestor has paused while retrieving events from the data source. The authorized requestor reads ahead a few pages from the last page that you scrolled down to. When it has buffered enough pages ahead, it pauses so that events are not buffered unnecessarily.
Searching, paused buffering events for display: This is similar to pausing and buffering events for display, except that the search is not yet complete on the data source server.
Done buffering: Indicates that the search is complete on the data source server, and all of the results are retrieved by the authorized requestor and queued for display.
You can further refine the distributed search results and perform various actions based on your requirements. For more information, see Searching Events
in the Sentinel User Guide.