Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Use Columns and Column Groups in the Events List

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 24Show Document
  • View in full screen mode
 

When the events list in Investigate is populated with events, each column lists the values returned for a meta key. Changing the meta keys displayed in the events list is a useful method of narrowing the focus of your investigation. For example, compare these two figures showing the same set of events with different columns. The first figure has five columns, Collection Time, Type, Theme, Size, and Summary. These are just the basic information, not specialized in any way. The second figure has many more columns that contain information useful when investigating email; you can scroll to the right to see the additional columns.

the Events list with Summary List columns displayed

the Events list with the RSA Email Analysis columns applied

You can adjust the events list as you work, selecting different columns to be displayed, rearranging the order of the columns, changing the width of the columns, and choosing a column by which the list is sorted. Manual adjustments are easy to make if you know which meta keys are relevant, but they apply only to the current session.

To improve your ability to see relevant meta keys quickly when looking at events in the Legacy Events view and the Events view, you can change the set of meta keys displayed by applying a column group. A column group defines the meta keys or meta entities that are displayed as columns, the position of the column in the Events list, and the default width of the column. Column groups are useful in themselves, and they become even more useful when you combine them with meta groups and preQueries to define query profiles (see Use Query Profiles to Encapsulate Common Areas for Investigation).

Note: Version 11.4 has a single Events view, which was known as the Event Analysis view in prior versions. The Legacy Events view from Versions 11.3 and earlier is still available when your administrator enables the view as described in the System Configuration Guide. If the Legacy Events view is enabled, both views are available in the Investigate submenu.

The same column groups are shared between the Legacy Events view and the Events view and are visible globally to all users. When importing a column group, the imported group is limited to the available meta keys for the service being investigated.

Large column groups can have a performance impact when loading data because the values for each meta key are loaded in the events list. To minimize impact on performance, the Events view has a fixed limit on the number of meta keys in a column group. The maximum number of meta keys in a column group is 40. Because default keys are included you may see more than 40 displayed on the screen. A column group must have at least one column. Meta keys that are not in the selected column group are not loaded in the events list. By default we load all columns in the group, but only 15 are displayed by default.

The Legacy Events view does not have a limit on the number of meta keys in a column group, and may have more than 40 meta keys in a column group. If you apply a column group with more than 40 meta keys that was created in the Legacy Events view, all columns are loaded in the Events view. However, when you edit a column group that exceeds the limit, the number of columns must be reduced to comply with the fixed limit of 40.

Note: In Version 11.3, column groups are created and managed in the Events view and available for use in the Event Analysis view. All existing column groups, both built-in and custom, are available in the 11.4 Events view. The complete column group management functionality is available in the Legacy Events view, and all functionality except cloning, importing, and exporting column groups is available in the 11.4 Events view.

NetWitness Platform has built-in column groups that include useful meta keys for specific types of investigation. The built-in groups cannot be edited or deleted, but you can create a copy of the group and edit the copy. The column groups are listed in alphabetical order in the Column Group menu in a way that makes built-in groups distinguishable from custom groups that you imported or created. In the Legacy Events view, "RSA" precedes the name of built-in column groups. In the Events view (Version 11.4 and later), RSA precedes the name and the group is marked by the lock symbol (the Lock icon). These are the built-in column groups.

  • RSA Email Analysis: Includes meta keys that are useful when investigating email-related metadata.
  • RSA Endpoint Analysis: Includes meta keys that are useful when investigating endpoint-related metadata.
  • RSA Malware Analysis: Includes meta keys that are useful when investigation potential malware.
  • RSA Outbound HTTP: Includes meta keys that are useful when investigating Outbound HTTP- related metadata.
  • RSA Outbound SSL/TLS: Includes meta keys that are useful when investigating Outbound SSL/TTS analysis-related metadata.
  • RSA Threat Analysis: Includes meta keys that mark potential threats in the data set.
  • RSA User and Entity Behavior Analysis: Includes meta keys that are useful when investigating UEBA data.
  • RSA Web Analysis: Includes meta keys that mark anomalies in web traffic.
  • Summary List: Includes meta keys that are useful in a general investigation. This is the default column group.

You can create custom column groups to support scenarios that you use frequently while working in Investigate. If you edit a custom column group, your changes are applied globally. If you delete a custom column group, the group is deleted and no longer available for all analysts. When an administrator adds custom meta groups manually by editing the custom index file for a service, the new groups become available to Investigate after the service is restarted.

Dialogs for Managing Column Groups

While the functionality of column groups is similar in the Legacy Events view and the Events view, the user interface and some of the procedures are different. The following figures illustrate the (Events view) Create Column Group dialog and the (Legacy Events view) Manage Column Groups dialog.

the Create Column Group dialog


the Manage Column Groups dialog

Using options in the Create Column Group dialog and the Column Group Details dialog, you can:

  • See the details of a column group.
  • Create, edit, and delete custom column groups.

Using options In the Manage Column Groups dialog, you can do all of above and these additional functions:

  • Clone and edit the clone of a built-in or custom column group.
  • Import and export a column group.

The rest of this topic provides instructions for working with column groups in the 11.4 Events view, the 11.3 and earlier Event Analysis view, and the Legacy Events view.

Work with Columns and Column Groups in the 11.4 Events View

After the upgrade to Version 11.4, all of the existing column groups -- both built-in and custom -- are available for management in the Events view. Unless noted, the procedures in this section are for the Events view.

Manually Select Columns to Display and Adjust Column Order and Width

Note: The Column Selector was also available in the 11.3 Event Analysis view. If a column group includes a column for a meta key that your administrator has blacklisted (hidden), the data for that column cannot be displayed. The column is not available in the Column Selector and is not displayed in the Events panel.

  1. With the Events list open and a column group applied, click the settings icon to display the column selector.
    Column selector filtering list
  2. Select the meta keys or enter the name of a meta key that you want to display in additional columns. 
  3. Deselect the meta keys that you do not want to display in a column.
    The data is redisplayed using the selected columns.
  4. To change the width of the columns in the events list, hover the cursor over the column title and drag the column divider to the right or the left.
  5. To rearrange the order of the columns across the top of the events list, hover the cursor over the column title and drag the column to the right or the left.
    The changes that you make in the events list are in effect during the current session and are not retained as part of the column group. The next time the column group is applied, the original composition and order of columns is applied.

Select a Column for Sorting Events in the Events Panel

Note: You can sort events in the Events panel after results have finished loading if all connected services are updated to 11.4. or later. Sorting by column is disabled when any connected service is running an earlier version of NetWitness Platform. Version 11.4.1 has more visible sorting toggles in the column heads and the ability to view results without sorting, but otherwise it functions the same as in Version 11.4.

You can change the order of the events list in the Events panel based on the value for a meta key in the event. Each column title represents a meta key, and the column is populated by the values found for the meta key in the displayed events. In Version 11.4, the events in the Events panel are sorted using the method selected in the Event Preferences dialog: Ascending or Descending. If no sort method is selected, the default order is ascending (see Configure the Events View). In Version 11.4.1, the events in the Events panel are sorted only when the sort preference in the Event Preferences dialog is selected and is either Ascending or Descending. The events are not sorted if you do not have a sort preference selected under Events Preferences or if you selected Unsorted.

Sortability of a column is based on the definition of the meta key in the Broker and Concentrator index files. Columns for meta keys that are indexed by value are sortable. If the meta key is not indexed, is indexed by meta key, or has multiple values in the same event, it is not sortable.

  • These are some examples of keys that are indexed by value and sortable: time, eth.type, city.src, ip.src, ipv6.dst, and ipv6.src.
  • Meta entities are not sortable. For example, the meta entity ipv6.all is not sortable because it includes ipv6.dst and ipv6.src, and a single event has both ipv6.dst and ipv6.src.
  • These are some examples of multiple value keys, which cannot be sorted: filename, filetype, and attachment. A single event can have more than one file and therefore more than one value for filename, filetype, and attachment.
  • These are some examples of meta keys that cannot be sorted because they are not indexed or not indexed at the values level: password, query, and size.

Version 11.4.1 Sorting by Column

The initial view of the Events list with the sorting preference set to Unsorted and no column sorting has an event count in the title, with no indication of a sorting method applied to a column. In this case more than 1000 events matched the query, and only 1000 events as processed by the Core services are displayed. Clicking the amber warning triangle displays an explanation. If the event sorting preference is set to Ascending, the count label is "Oldest 1,000 Events." If the event sorting preference is set to Descending, the count label is "Newest 1,000 Events." Refer to Configure the Events View for more information about the sorting preference.

Unsorted Events list

When you move the mouse over a column title, sortable columns have a pair of arrows after the column title, one pointing up for ascending and one pointing down for descending (Sortable Column Indicator). You can choose one sort column and the direction of the sort. A blue up arrow (ascending order in effect) indicates that ascending sort order is in effect; which means the earliest events or the lowest numbers, or the text strings beginning with an 'A' appear first. A blue down arrow ( Descending sort order in effect) indicates that descending sort order is in effect; which means the latest events or the highest numbers, or the text strings beginning with a 'Z' appear first.

  • When a column has a blue arrow, you can click the white arrow to change the sort order. When you change the sort order, a blue progress bar is displayed in the Events list title bar to show progress. As sorting begins, there is a short segment on the left side of the window; as sorting progresses the blue color extends to the right across the entire title bar. The directional arrow does not change until the events are re-sorted in the chosen sort order.
  • To change the column to unsorted, you can click the blue arrow. Both arrows are white now to show that the column is unsorted. This figure shows the Type column sorted in ascending order.
    the title of a sortable column, sorted in ascending order
  • If a column is not sortable, no arrow is displayed when you hover the mouse over the column title. Instead a tooltip explains why it is not sortable.

Sorting on a column is done on the client side without re-executing the query if the number of displayed results is less than the events limit set by the administrator. If there are more results that are not displayed because the number of results exceeded the events limit, a new query is submitted with the new sort order, and the same service, time range, and filters. The current results are removed, a spinner indicates progress, the Cancel button becomes available, the reconstruction closes, and progress is visible in the Query console.

Note: The re-sorting of events takes place in the browser when the number of results of the original query is less than the event display threshold.

To change the sort order or the sort column:

  1. Move the mouse over the column titles to find a sortable column.
    If a column is not sortable, a tooltip that explains the reason is displayed.
  2. To sort the list based on a column, move the mouse over a sortable column and click one of the arrows (ascending order in effect).
    The arrow turns blue and the events are reloaded in the selected order. If both arrows are white, the column is not being used to sort the events list. If one arrow is blue, the column is being used to sort the events list, and the sort order (Asc or Desc) is appended to the events count in the title bar. This figure shows a column sorted in ascending order. When a column is descending order, (Desc) is appended to the event count.
    a column sorted in ascending order
    1. Click a white arrow to sort the events list in that order.
    2. Click a blue arrow to return to unsorted order.

Version 11.4 Sorting by Column

When you move the mouse over a column title, sortable columns have an up or down arrow (Ascending sort order indicator or Descending Sort order indicator) after the column title. You can choose one sort column and the direction of the sort. An up arrow indicates that Ascending sort order is in effect; which means the earliest events or the lowest numbers, or the text strings beginning with an 'A' appear first. A down arrow indicates that Descending sort order is in effect; which means the latest events or the highest numbers, or the text strings beginning with a 'Z' appear first. When you select a sort column, it is sorted in descending order by default, with events having a null value for the meta key first.

  • A column that is being used to sort the events list has a bright white arrow indicating the direction that you can choose for sorting: click Ascending sort order indicator to change to Ascending or Descending Sort order indicator to change to Descending order. When you click Ascending sort order indicator to change to Ascending sort order, the directional arrow does not change until the events are re-sorted in ascending order. The same behavior applies when you click the Descending Sort order indicator to change to Descending order.
  • If a sortable column is not being used to sort the events list, the arrow is dimmed. If a column is not sortable, no arrow is displayed when you hover the mouse over the column title. Instead a tooltip explains why it is not sortable.
  • If you click the arrow on a different column, the column is sorted in the same order as the previously active sort column. You can select a different sort order if desired.

Sorting on a column is done on the client side without re-executing the query if the number of displayed results is less than the events limit set by the administrator. If there are more results that are not displayed because the number of results exceeded the events limit, a new query is submitted with the new sort order, and the same service, time range, and filters. The current results are removed, a spinner indicates progress, the Cancel button becomes available, the reconstruction closes, and progress is visible in the Query console.

Note: The re-sorting of events takes place in the browser when the number of results of the original query is less than the event display threshold. If some of those events have the exact same time, they will not change order as you might expect when you reverse the sort order.

To change the sort order or the sort column:

  1. Move the mouse over the column titles to find a sortable column.
    If a column is not sortable, a tooltip that explains the reason is displayed.
  2. To sort the list based on a column:
    1. Move the mouse over a sortable column and click the arrow ( Ascending sort order indicator or Descending Sort order indicator).
      The events are sorted in the correct sort order. If you hover over the column title, you can see that the arrow is no longer dimmed. A column that is being used to sort the events list has a bright white arrow that you can click to change the sorting direction.
    2. To change the sort order, click Ascending sort order indicator to change to Ascending or Descending Sort order indicator to change to Descending order.
      The direction of the arrow changes and the events are reloaded in the selected order.

View the Meta Keys Included in a Column Group

To view details of a column group:

  1. Go to Investigate > Events and click the submit query button (spyglass) to load events.
    The events for the default service and the default time range are loaded in the Events panel. The Summary List column group or the column group from your last session is applied to the list. The Column Group menu title includes the name of the selected column group. This figure shows the menu initially when Summary List is selected by default and the first column group in the list is highlighted.
    the Column Group menu with Summary List selected and RSA Email Analysis highlighted
  2. Hover over the Summary List group and click the information icon (information icon) to see which columns are included in the group.
    This figure shows the columns for the Summary List. The Collection Time and Type column are always the first two columns in the Events list, but are not listed in the Column Group Details dialog.
    example of the Column Group Details dialog
  3. Do one of the following.
    1. To close the dialog, click Close.
    2. If you want to apply the column group, click Select Column Group.
      The dialog closes and the Events list is updated to reflect the selected column group.

Select a Column Group

  1. With the Events panel open in the 11.4 Events view, click the Column Group menu title.
    The menu drops down to display a list of column groups with a filtering option and a New Column Group option. The built-in column groups (except for Summary List) have an "RSA" prefix and a lock icon (the lock icon) to indicate that you cannot edit the groups. A custom icon (the custom column group icon)precedes the name of custom column groups. The list is sorted alphabetically and the selected column group is displayed in the menu label. The first option in the list is highlighted. The selected column group has a slightly different background color than the highlighted column group.
    This figure shows the menu after RSA Endpoint Analysis was highlighted, but RSA Email Analysis is still selected. Investigate Upgrade is an example of a custom column group.
    example of the Column Group menu
  2. Do one of the following:
    1. If the highlighted group is the one you want to apply, press ENTER.
    2. Begin typing text in the Filter column groups field to search for a column group name. As you type, the list is filtered to show only the column group names that contain that string.
      the Column Group menu with text in the filter
      When you see the group that you want to apply, click it or use the down or up arrow to highlight it, then press ENTER.
      The Events list is refreshed to include only columns in the selected column group, and the menu title includes the selected group name. Your selection persists when you navigate away from the Events view. The order of the columns in the Events list reflects the order of the meta keys in the column group. A column group may contain more columns that are only visible when you scroll to the right. For optimal viewing, the first 15 columns are displayed by default when you select a column group.

Create a Custom Column Group

  1. Go to Investigate > Events and submit a query to load data in the Events panel.
  2. In the Events panel toolbar, click the Column Group menu title.
    The menu drops down to display a list of column groups with the Filter Column Groups field at the top and the + New Column Group option at the bottom. The first group in the list is highlighted. To illustrate the difference between highlighted and selected, this figure shows the menu after RSA Endpoint Analysis was highlighted, but RSA Email Analysis is still selected.
    example of the Column Group menu
  3. Select + New Column Group.
    The Create Column Group dialog is displayed.
    the Creat Column Group dialog when first opened
  4. In the Group Name field, type a unique name (maximum length of 256 characters) for the new column group, for example, Custom Column Group A.
  5. To add a meta key to the column group, select and add each meta key as follows:
    1. Type a text string in the Filter meta keys field and look for meta keys that contain that text in the Available Meta Keys list.
      an example of the filtered Available Meta Keys list
    2. When you see the meta key that you want to add, click the add icon circled plus icon that precedes the meta key name.
      The meta key is added to the end of the Displayed Meta Keys list. (This list is also filtered using the text you typed.) The maximum number of meta keys in a column group is 40. If you attempt to add another meta key when 40 are already included in the Displayed Meta Keys list, a message advises you that the group has the maximum number of meta keys.
      an example of the Create Column Group dialog with several meta keys added
  6. (Optional) To find and remove a meta key from the column group, type a text string in the Filter meta keys field and look for meta keys that contain that text in the Dispayed Meta Keys list. When you see the column that you want to remove, click the remove icon ( the Remove icon) that precedes the meta key name in the Displayed Meta Keys list.
    The meta key is moved back to the Available Meta Keys list.
  7. (Optional) To change the order of the displayed meta keys in the Displayed Meta Keys list, place the cursor over the list order icon (the list order icon). When the cursor changes to the drag and drop icon (drag and drop icon), drag the meta key up or down in the list.
    changing the order of meta keys in the Create Column Group dialog
  8. Do one of the following:
    1. To close the dialog without creating the custom column group, click Cancel.
    2. To create the group, click Save Column Group.
      The new column group is saved and becomes available for all analysts. The buttons change to Done and Select Column Group.
  9. Do one of the following:
    1. To close the dialog, click Done.
    2. To close the dialog and select the new column group, click Select Column Group.
      The new group is added to the Column Groups menu (in alphabetical order), and if you clicked Select Column Group, the Events list is updated to show the columns in the new column group.

Delete a Custom Column Group

You can delete any custom column group that is not currently applied in the Events list. The built-in column groups are read only, and cannot be deleted. When you delete custom column groups, only the built-in column groups and the groups that have not been deleted, are displayed in the column group menu.

Caution: When you delete a column group, the effect is global and the group is no longer available to any analyst.

To delete a custom column group:

  1. Go to Investigate > Events and click the submit query button (spyglass) to load events.
    The events for the default service and the default time range are loaded in the Events panel. The Summary List column group or the column group from your last session is applied to the list. This figure shows the initial view with the Summary List column group selected. The label on the Column Group menu includes the name of the selected column group.
    example of the Column Group menu with the Summary List group selected
  2. To delete a column group, highlight a custom column group as shown in the following figure and click the edit icon (the edit icon) to the right of the name.
    a custom column group with the custom symbol on the left side
  3. The Column Group Details dialog opens with the details for the selected group displayed.
    the Column Group Details dialog for a custom column group
  4. Click the delete group icon (CGDeleteIcon).
    If the column group is currently in effect, the following message is displayed: This column group cannot be deleted because it is currently active.
    If the column group is not in effect and is not a built-in column group, the group is deleted immediately and removed from the Column Groups menu. The column group no longer appears anywhere for any analyst working in Investigate. There is no request for confirmation before the column is deleted.

Edit a Custom Column Group

  1. Go to Investigate> Events and submit a query to load data in the Events panel.
  2. In the Events panel toolbar, click the Column Group menu title.
    The menu drops down to display a list of column groups with the Filter Column Groups field at the top and the + New Column Group option at the bottom. The first group on the list is highlighted, and the selected group has a light blue background.
  3. Highlight the column group that you want edit. This figure shows Custom Column Group A highlighted. The edit icon is displayed to the right.
    a column group highlighted for editing
  4. Click the edit icon (the edit icon).
    The Column Group Details dialog is displayed so that you can edit the Group Name and Displayed Meta Keys. You can add or delete meta keys and rearrange the order of the meta keys in the list.
    the Column Group Details with a column group open for editing
  5. (Optional) In the Group Name field, edit the name of the column group.
  6. (Optional) To add a meta key to the column group, select and add each meta key as follows:

    1. Type a text string in the Filter meta keys field and look for meta keys that contain that text in the Available Meta Keys list. Or just scroll through the list to find the meta key.
    2. When you see the meta key that you want to add, click the add icon circled plus icon that precedes the meta key name.
      The meta key is added to the end of the Displayed Meta Keys list. (This list is also filtered using the text you typed.) This figure shows the group name changed to Column Group C and access.point added to the Displayed Meta Keys list.
      the column group name changed and action meta key added
  7. (Optional) To find and remove a meta key from the column group, type a text string in the Filter meta keys field to look for meta keys that contain that text in the Dispayed Meta Keys list, or simply scroll through the list. When you see the column that you want to remove, click the remove icon ( the Remove icon) that precedes the meta key name in the Displayed Meta Keys list.
    The meta key is moved back to the Available Meta Keys list.
  8. (Optional) To change the order of the displayed meta keys in the Displayed Meta Keys list, place the cursor over the list order icon (the list order icon). When the cursor changes to the drag and drop icon (drag and drop icon), drag the meta key up or down in the list.
  9. Do one of the following:
    1. To close the dialog without saving the changes to the custom column group, click Reset.
    2. To save the edits to the column group, click Update Column Group.
      The updated column group is saved globally for all analysts, and the buttons change to Done and Select Column Group.
  10. Do one of the following:
    1. To close the dialog, click Close.
    2. To close the dialog and select the updated column group, click Select Column Group.
      The column group is updated, and if you clicked Select Column Group, the Events list is updated to show the columns in the new column group.

Select a Column Group and Columns (11.3 and Earlier Event Analysis View)

In the 11.3 and earlier Event Analysis view, you can select a column group to apply to the Events list. These are the built-in groups and custom column groups created in the Legacy Events view.

To select a column group:

Begin in the Column Group menu and do one of the following:

  1. Select a column group (for example, Summary List).
  2. To filter the list of column groups, start typing the name of the column group. Type one character and a list of column groups that contain that character is displayed; as you continue to type the list is filtered to match. When you see the column group that you want, click to select it. To clear the filter text, click X or delete the typed text.
    The Events panel displays data in the columns that belong to the selected column group.

To select columns to display:

  1. With the Events list open and a column group selected, click the settings icon to display the column selector.
    Column selector filtering list
  2. Select the meta keys or enter the name of a meta key that you want to display in additional columns. 
  3. If you do not want to see a meta key displayed in a column, deselect the meta key.
    The data is redisplayed using the selected columns.

Work with Column Groups in the Legacy Events View

This section includes procedures for working in the 11.4 Legacy Events view (and the 11.3 Events view). Three different forms of the events list with hard-coded columns are built in and labeled as follows: Detail View, List View, Log View. You can remove columns, rearrange the order, and change the width of a column. In addition the built-in or custom column groups are available; these give you more flexibility in choosing columns.

Column groups are shared globally, per service, across Investigate. Any changes you make to custom column groups are applied globally, affecting all analysts using the service. If you delete a column group, the column group is no longer available to anyone who is investigating the service.

Select a Column Group

Note: Investigate profiles can include custom column groups. If a custom column group is used in a profile and you are viewing events in the Legacy Events view using a custom column group, you cannot change the view type (Detail, List, or Log). 

To select a column group:

  1. With the Legacy Events view open, select Custom Column Groups in the View drop-down menu. The menu label reflects the selected option: Detail View, List View, Log View, or the currently selected column group.
    the Custom Column Groups menu
  2. Select one of the column groups from the submenu.
    The Legacy Events view is refreshed to reflect the custom column group.

Create a Custom Column Group in the Legacy Events View

  1. Go to Investigate > Legacy Events.
  2. Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group.
    The Manage Column Groups dialog is displayed.
    the Manage Column Groups dialog
  3. To add a new column group in the column group panel, click Add icon and type the name of the new group in the resulting field.
    The column definition panel opens on the right with the group name filled in. You can edit the group name.
  4. To add a column to the group, click Add icon, and click in the empty Meta Key field to display the Meta Key drop-down list. Select a meta key field from the list, and repeat this step until the column set is complete.
    the Manage Column Groups dialog showing a new column and the meta key drop-down list
  5. (Optional) To delete a meta key from the column group, click Delete icon.
  6. (Optional) To rearrange the sequence in which the columns appear in the Events list, drag meta keys to the desired position.
  7. (Optional) To set the default width for a column, click in the corresponding value in the Width column, and type a new column width.
    Manage Column Groups dialog with a meta key defined
  8. (Optional) To revert to the previous settings for the column group, and undo all of your changes, click Cancel.
  9. When ready to save, do one of the following:
    1. To save the edited column group and refresh the Legacy Events view with the column group settings, click Save and Apply.
    2. To save the edited column group without refreshing the Legacy Events view, click Save.

Delete a Column Group (Legacy Events View)

  1. Go to Investigate > Legacy Events.
  2. Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group.
    The Manage Column Groups dialog is displayed.
    the Manage Column Groups dialog
  3. To delete a custom column group in the column group panel, select one or more custom column groups and clickDelete icon in the toolbar.
    A confirmation request is displayed.
  4. Do one of the following:
    1. To delete the column group and refresh the Legacy Events view, click Yes.
    2. If you decided not to delete the column group , click No.
      The selected column groups are deleted and no longer appear anywhere for this service in Investigate.

Edit a Column Group (Events View)

  1. Go to Investigate > Legacy Events.
  2. Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group.
    The Manage Column Groups dialog is displayed.
    the Manage Column Groups dialog
  3. Do one of following:
    1. To edit a custom column group in the column group panel, select the checkbox before the name.
      The column definition panel opens on the right.
    2. To clone and edit a built-in column group or a custom column group, select the checkbox before the name and click the clone icon (the clone icon).
      The column definition panel opens on the right.
  4. (Conditional) If you are editing a clone of a group, type the new name of the group.
  5. To add a column to the group, click Add icon, and click in the empty Meta Key field to display the Meta Key drop-down list. Select a meta key field from the list, and repeat this step until the column set is complete.
    the Manage Column Groups dialog showing a new column and the meta key drop-down list
  6. (Optional) To delete a meta key from the column group, click Delete icon.
  7. (Optional) To rearrange the sequence in which the columns appear in the Events list, drag meta keys to the desired position.
  8. (Optional) To set the default width for a column, click in the corresponding value in the Width column, and type a new column width.
    Manage Column Groups dialog with a meta key defined
  9. (Optional) To revert to the previous settings for the column group, and undo all of your changes, click Cancel.
  10. When ready to save, do one of the following:
    1. To save the edited column group and refresh the Legacy Events view with the column group settings, click Save and Apply.
    2. To save the edited column group without refreshing the Legacy Events view, click Save.

Import and Export a Column Group (Legacy Events View)

You can export custom column groups for use by other members of your team, and other analysts can import column groups if you give them a copy of the exported file.

To export a column group:

  1. Go to Investigate > Legacy Events.
  2. Select Manage Column Groups in the View drop-down menu. The View option is named for the current value, for example, Detail View, List View, Log View, or the currently selected column group. Each of these views is a differently formatted events list, and each column represents one meta key.
    The Manage Column Groups dialog is displayed.
    the Manage Column Groups dialog
  3. To export a column group, select the checkbox before the name and click the Export option (the export button).
    The column group is exported to your local file system as a .jsn file, for example, CustomColumnGroupsExport.jsn. If you export another group, the next file is named CustomColumnGroupsExport-2.jsn to differentiate.
  4. To import a column group that you have available on your local file system, click the Import option (the import button).
    The Import Column Groups dialog is displayed.
  5. Browse your local drive to find the column group (jsn file), and click Upload.
    The column group is added to the list. If it has the same name as an existing column group, a message is displayed and the column group is not imported.

 

You are here
Table of Contents > Refining the Results Set > Use Columns and Column Groups in the Events List

Attachments

    Outcomes