Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Export Events in the Events View

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 19Show Document
  • View in full screen mode

In the Legacy Events view, the Actions menu has an option to export events from the event being viewed to an archive.

Note: You can only export files that you have permission to view or access.

The export function queries the service for all sessions inside the selected time range and drill point to extract the content of each session. The details being exported are affected by both the time range and drill point at the time of exporting. In the File Extraction dialog, you can choose to export:

  • PCAPs
  • Logs
  • NetWitness Endpoint events
  • Meta values

The format of the exported archive: ZIP or GZIP file. After you send the request, a job is scheduled and you can track the job in in the Jobs tray. If there is an error retrieving the log or PCAP from the service, an error notification is displayed.

To extract files from an event:

  1. While in the Event view, click an event.
  2. Click Actions > Export..
    Events view Export menu
  3. Select the export option.
    A message informs you that the PCAP is being downloaded.

You are here
Table of Contents > Downloading and Acting Upon Results > Export Events in the Legacy Events View