Real-time Event Views is available only in Sentinel with traditional storage. Sentinel provides a few default event views.
To view events:
Click Real-time Views > Events.
Select an event view and click Open the event view.
Sentinel provides a graphical representation of events for the specified criteria. The chart automatically refreshes after the interval specified in Display Interval.
Event Views use data synchronization policies to display data dynamically and more accurately. When an Event View is displayed for the first time, it checks for any existing data synchronization policy with the same criteria specified in the Criteria field and the same event field specified in the Event Attribute field. If a data synchronization policy with the same criteria and event attribute does not exist, it creates a new data synchronization policy. It initializes the new data synchronization policy with one hour of data, rounding down to the nearest hour. If you want to initialize a data synchronization policy with more than one hour of data, you can modify the policy to sync back up to 24 hours of data in the Storage > Data Synchronization user interface.
NOTE:The data retention period for data synchronization policies associated with Event Views is 1 day. Therefore, syncing back more than 24 hours of data is not advised.
Data synchronization policies related to Event Views remain enabled and active while being used by an Event View. If there are no data requests from an Event View for a given data synchronization policy within a specified time period, the data synchronization policy will be automatically deleted. For information about specifying a time period for the data synchronization policy, see Managing Data Synchronization Policies
in the Sentinel Administration Guide.
As you are viewing event data, you can perform the following actions in the chart:
Mouse over the data points in the chart to view the number of incoming events or events per second for a specific time stamp.
Click any category in the legend to filter the view by the legend items.
Click and drag the mouse to zoom the view for a specific time range.
The event view enables you to view only the summarized event data. To view the event details or perform any event operations, you can do either of the following:
Click a specific area in the chart to open the Search interface with the list of events represented in that area.
Click Search Events.
For information about viewing event details and performing event operations, see Viewing Search Results and Performing Event Operations.
To create and view events in event views, you must have the Create and use Event Views permission.
To create an event view:
From Sentinel Main, click Real-time Views > Events > Create.
Specify the following information:
Name: Specify a unique name for the event view.
Sharing: Select either of the following options:
Public: Allow everyone to view the event view. In the Public mode, other users can only view the events but cannot modify the event view. You are still the owner of the event view.
Private: Only you are able to view the event view.
Criteria: Specify the criteria to view specific events.
Event Attribute: Select the attribute based on which you want to categorize the event data.
Tenant: If you are in a multi-tenant environment, select a tenant name for which you want to view events. The default tenant allows you to view events from all tenants. If you select a tenant, only users of that tenant can view the events in this event view.
This option is available only if you are an administrator in a multi-tenant environment.
Chart Type: Specify the chart type in which you want to view the event data.
Y Axis: Select either of the following options:
Event Count: Displays a graph with number of events for the specified time range.
Event Count per Second: Displays a graph with event rate for the specified time range.
Time range: Select the time range for which you want to view the event data.
Display Interval: Select the time interval between two data points.
Click Save to save the event view configuration.