6.2.1 Basic Event View

The information in each event is grouped into Initiator information and Target information. If data isn’t available for a particular event field, the fields are labeled Unknown.

Figure 6-3 Basic Event View

Occasionally, the search engine might index events faster than they are inserted into the database. If a user runs a search that returns events that have not been inserted into the database, the user gets a message that some events match the search query but could not be found in the database. Generally if the search is run again later, the events are in the database and the search is successful.

Figure 6-4 Events Indexed but Not Yet in Database

6.2.2 Event View with Details

Users can view additional details about any event or events by clicking the details link on the right side of the page.The details for all events on a page can be expanded or collapsed by using the All Details++ or All details-- link. This preference is retained as you scan through multiple pages of results or execute new searches.

Figure 6-5 Event View with Details

The event above shows the same event as in Figure 6-3 but with an expanded view that shows additional data fields that might have been populated.

6.2.3 Refining Search Results

After viewing the results of a search, it might be necessary to refine the search results and add additional search criteria. For example, you might see one initiator user’s name appear several times in the search results and want to see more events from that initiator.

To filter the search results using a specific value appearing in the search results:

Some fields cannot be selected to refine a search this way: