5.2 Refining Search Results

You can refine the search results based on a specific event field. You can use the search refinement pane in the Sentinel Log Manager User Interface to refine search results.

The refinement event fields listed in the Sentinel Log Manager User Interface are on a per-user basis and the settings are restored across sessions and at additional searches.

If you have multiple search tabs, you can select different event fields for each of these tabs. If you save these event field selections, then the subsequent searches display the event fields saved in the previous setting.

For more information on each of these event fields, see Section C.0, Event Fields.

For performance considerations, the number of events sampled to calculate the event field value statistics are limited. If the search result set contains less than 50,000 events, the refinement field will be based on the entire result set. However, if the result set contains more than 50,000 events, only the first 50,000 will be sampled. The sampling size is displayed in the field count label as Field counts based on the first <sample-size> events, where <sample-size> will be replaced by the actual sampling size.

To refine search results:

  1. Log in to Novell Sentinel Log Manager.

  2. Run an event search.

    For more information on how to run an event search, see Running an Event Search.

  3. Select an option from SORT BY to sort the search results.

    You can sort the search results based on the time when the event occurred and when the event was stored.

  4. Click fields in the REFINE section.The Select Event Fields window is displayed.

    NOTE:The events selection is on a per-user basis. Each user can have a different set of selected events.

    1. To refine the search, select the event fields from the available fields, and click Save.

    2. To deselect all the selected event fields, click the Clear all link.

    3. To undo any changes, and click Cancel.

  5. The selected event fields are displayed in the REFINE pane.

    A count at the right side of each event field displays the number of unique values that exist for that field in the data directory. The calculation is based on the first 50,000 events found.

    In the following two scenarios the number of events returned from a refinement will be greater than the number of values listed for an event field:

    1. The refinement performs a new search with the additional terms intersected with the initial search string (using an AND operator). The new search will be run against all the events in the system, including the result set from the initial search. If new events came into the system that matches the refined search, they will be shown in the resultant set and the event count would be greater than the field value count.

    2. If there are more than 50,000 events, the event field statistics will be calculated only on the first 50,000 events.

      There could be an event field value that occurs 50 times in the first 50,000 events, but it could occur 1,000 times in all other stored events. So, in the above scenario the displayed value count would be 50, but when the search is refined with this value it would return 1,000 events.

  6. Click each event field to view the unique values for that event field.

    For example, if the search results contained events that had severities 1, 2, 5, and 4, then the event field will be displayed as Severity (4).

    The top 10 unique values are initially displayed in the order of most frequent to least frequent.

    The value next to the check box represents the unique value for that event field and the value at the far right side represents the number of times the value appears in the search result.

    If there are multiple unique values occurring at the same number of times in a search, then the values are ordered by the most recent occurrence of the value.

    For example, if events of severity 1 and 4 occurred 34 times in the search results, of which an event of severity 4 was logged most recently, then the unique value 4 would appear at the top of the list.

  7. To save the selected unique values in the search refinement term popup, click OK.

  8. To display the unique values in the order of least frequent to most frequent, click reverse.

    NOTE:When there are more than 10 unique values, you can view and filter either the top 10 or the bottom 10 unique values. You are not allowed to refine your search on both the conditions at the same time.

  9. Select one or more of the unique value check boxes to refine the search results for the particular event field, and then click Save. Selected event field values are listed under the event field in the REFINE pane.

    The right pane displays the refined search results, which only contains the selected values.

  10. Repeat Step 4-Step 9 to further refine the search.

  11. Click clear to clear the selected unique event field values from the REFINE pane and to return to the previous search results.

  12. Click add to search to add the refined search values to the current search tab and to perform a new search after recalculating the unique event field values and counts.

    NOTE:If you have already added the event field value to the current search tab, clicking clear does not return to the previous search results.