The Search Results page displays the events from the selected target servers and the local server, based on the search criteria you specified. Each event displays the target server information from which the event is being retrieved.
Figure 7-2 Distributed Search Results
You can expand the event results to see the details by clicking the
link.For non-internal events, the
link is displayed. You can view the raw data only if your role's security filter is set to View all data.NOTE:For search results that come from the target servers, the role that is used to retrieve raw data is not the role of the logged-in user that is performing the search on the search initiator server, but the role that is assigned to the search initiator server on the target server.
You can view the status of the search in the extended status page while a search is in progress as well as when the search has finished. To access the extended status page, click the
link that appears at the top of the refinement panel.Figure 7-3 Extended Status Page
The extended status page displays the following information:
Target Name: The descriptive name of the target server. If you did not specify a descriptive name for the target server, this field displays the IP address or DNS name of the target server.
Events Available: Indicates the number of events that have actually been retrieved from the target server. The value is displayed as N of M events available, where N is the number of events that have been retrieved so far and M is the total number of events on the target server that match the search criteria.
Retrieval Rate (EPS): An approximate rate of how fast the events were retrieved from a specific target server.
Status: Displays the error messages, if any (generally in red). In addition to error messages, this field also displays the status of the search.
Running: Indicates that the search is still running on the search target server.
Buffering events for display: Indicates that the search is finished on the target server, but the search initiator server is retrieving events from the target server and buffering them for display.
Paused buffering events for display: Indicates that the search is finished on the target server, and the search initiator has paused while retrieving events from the search target. The search initiator reads ahead a few pages from the last page the you scrolled down. When it has buffered enough pages ahead, it pauses so that events are not buffered unnecessarily.
Searching, paused buffering events for display: This is similar to pausing and buffering events for display, except that the search is not yet completed on the target server.
Done buffering: Indicates that the search is completed on the target server, and all of the results are retrieved by the search initiator and queued for display.
You can further refine the distributed search results and perform various actions based on your requirement. For more information, see Section 5.0, Searching.