In the Event Analysis view, interactive features enhance your ability to find meaningful patterns in the data. This is an alternative to the static Event Reconstruction view. Analysts who are assigned a user role with access to the Event Analysis view can examine network, log, and endpoint events in the Event Analysis view. You can choose between this view or the Event Reconstruction view.
The Event Analysis view lists the events associated with the current drill point in the Navigate view in order by time. When you click an event, the Network Event Details, Log Event Details, or the Endpoint Event Details panel opens in the same browser window. Each type of event has one or more types of analysis: Text Analysis, Packet Analysis, and File Analysis.
To access this window, do one of the following:
- In the Events view with Detail View selected, click Event Analysis at the end of the event,
- In the Event Reconstruction toolbar, click Event Analysis.
*You can perform this task in the current view.
- How NetWitness Investigate Works
- Event Analysis View - Packet Analysis Panel
- Event Analysis View - Text Analysis Panel
- Event Analysis View - File Analysis Panel
When you open a drill point in the Event Analysis view, the service being investigated counts the results of the initial query up to a limit of 100,000 events, and the first 1,000 events, packets ,logs, and endpoint events are loaded in the Event list panel. The columns in the Event list panel list the Event Time, Event Type (Network, Log, or Endpoint), Event Size, and Summary. You can:
- Scroll through the list and click Load More to see the next 100000 events.
- Drag the columns to rearrange the order.
- Make columns wider or narrower.
- View the event analysis of an event.
|1||The read-only breadcrumb shows the query used to produce this data set. All queries are done in the Navigate view or the Events view.|
This is a read-only list of events based on the query made in the Navigate or Events view.
The Event list includes a count of the events. You can rearrange and resize columns. You can scroll to the bottom of the list, and load more events (see Analyze Events in the Event Analysis View).
|3 and 8||Controls to change the size of the panel and close the panel.|
|4||The type of event being analyzed is reflected in the heading: Network Event Details, Log Event Details, or Endpoint Event Details. Each view is discussed in detail in Analyze Events in the Event Analysis View.|
|5||The types of analysis available for the event type. Network events can use all three types of analysis: text, packet, and file. Log and endpoint events use only text analysis.|
|6||These options vary for the different types of analysis. They are discussed in detail in Analyze Events in the Event Analysis View.|
Controls to show or hide the Event Header, show or hide requests and responses, and open the Event Meta panel (12). These controls are described in Analyze Events in the Event Analysis View.
|9||Reopen the Event list panel or the Event Meta panel if you have closed it.|
|10||Event Header, which provides summary information about the event. This information is different for the different event types (packet, log, and endpoint).|
|11||The event data (sometimes called a payload for packets). The event data for a log event or endpoint event is typically a line of text from the raw log rather than request and response shown for a packet.|
|12||The Event Meta panel lists the meta keys and values found in the data. Some meta data are searchable; they have a binoculars icon, which you can click to see the associated data highlighted in the event data (see Analyze Events in the Event Analysis View.|