7.3 Viewing Search Results

Searches return a set of events. You can view the search results in the basic view or in the advanced view.

When results are sorted by relevance, only the top 50,000 events can be viewed. When they are sorted by time, all the events in the system are displayed.

7.3.1 Basic Event View

The information in each event are grouped into General Event information, Initiator information, Target information, Observer Information, Reporter information, Customer values and retention policy information. If the Collector that processed the raw data could not find the information for a particular event field, then information for that field would not be displayed or be labeled as Unknown.

To view the raw data information, launch the Event Source Management (Live View) window. Select the Open Raw Data Tap option, the Raw Data window is displayed. You can view the detailed information in the Raw Data Details section. If you do not see the information, check if you can reconfigure the system to send the syslog data to include the missing information.

If the Collector parsing logic could not parse the existing raw data, the fields might not be displayed or could be labeled Unknown. To fix this, the Collector parsing logic needs to be enhanced.

Occasionally, the search engine might index events faster than they are inserted into the data directory. If a user runs a search that returns events that were not inserted into the data directory, the user gets a message that though some events match the search query they are not found in the data directory. If the search is run again later, the events would be in the data directory and the search will be shown as successful.

7.3.2 Event View with Details

  1. To view the details about all the events, click the all details link on the top of the search result page. The details for all events on a page can be expanded or collapsed by using the all details+ or all details- link.

  2. You can view details about any individual event by clicking the details link at the right side of the page. The details for all events on a page can be expanded or collapsed by using the details+ or details- link.

  3. Click the show extended info link to view additional details of the Reporter information and Extended Information. This information can be expanded or collapsed by using the show extended information or hide extended information.

    NOTE:The show extended information link displays only if Sentinel Log Manager contains Reporter information or extended information of the event.