Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Legacy Events View

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Jan 30, 2020
Version 19Show Document
  • View in full screen mode

In the Legacy Events view a list of events associated with a session is available; this view is optimized for viewing raw events in sequence by time. You can display the events list in several forms, filter events, search for events, and open a reconstruction of an event.

There are two ways to display the Legacy Events view:

  • Go to Investigate > Legacy Events. NetWitness Platform runs a default query on the last three hours for the default service (if one is set) or displays a dialog in which you can select a service and then runs the default query. The default query selects all events and the Legacy Events view displays events on the selected service, with the oldest events first.
  • From within the Navigate view, double-click an event. The Legacy Events view displays the events on the selected service based on the drill point in the Navigate view.


This workflow has references to several views that were renamed in Version 11.4: Event Analysis --> Events, Events --> Legacy Events.

the workflow of an investigation with the tasks performed in the Events view highlighted

What do you want to do?


*You can perform this task in the current view.

Related Topics

Quick Look

The Legacy Events view provides three built-in presentations of event data: the Detail view, the List view, and the Log view. The List view and Detail view provide more information for each event including the timestamp, event type, event theme, and size.

  • The List View shows corresponding source and destination address and port information for events in summary form in a grid.
  • The Detail View shows all metadata collected for the event in a paged view.
  • The Log View is optimized for viewing log and endpoint information, and provides more information for each log including the timestamp, event type, service type, service class, and the logs.

You can use queries, the time range setting, and profiles to filter the events listed in the Legacy Events view. From any view type in Legacy Events view, you can extract files; export network events, endpoint events, logs, and meta values, and open the Event Reconstruction panel. In the Detail View you can also open the event in the Events view.

The following figure is an example of events in the Detail View. The Context Lookup panel is visible only if the Context Hub service is configured.

an example of the Events view with the Context Lookup panel open

The following figure is an example of events in the List View.

the List view

The following figure is an example of the Log View.

example of the Log View

The following figure shows the information added to the footer for Version 11.3 and later.

the Events view footer with result limit and services queried

Detailed Description

The Legacy Events view has a toolbar at the top with the following options.

Select ServiceDisplays the selected service name next to the icon. Opens the Investigate dialog, in which you can select a service for which the event list is displayed.
Time RangeDisplays a drop-down menu for selecting the time range to apply to the event list. You can choose one of the standard options or specify a custom time range.
QueryDisplays the Query dialog, in which you can enter a custom query directly instead of drilling down the data (see Create a Query in the Navigate and Legacy Events Views).
ProfileDisplays the Profile menu; the currently selected profile is displayed in the toolbar. The menu options include built-in (Default) profiles and custom profiles, as well as an option to manage profiles. Each profile can include a meta group, a column group, and a beginning query that is applied to the Navigate view (meta groups and queries) and the Legacy Events view (column groups and queries) as you investigate events. (see Use Query Profiles to Encapsulate Common Areas for Investigation).
View Type Drop-downDisplays a drop-down menu for selecting the event view type.
  • Detail View shows events in a paged format with detailed information for each event.
  • List view shows the events in table form with a summary of each event in a separate row.
  • Log View shows a log-oriented events grid with a summary of each log in a separate row.
  • Custom Column Groups displays the event list using a column group selected from a drop-down list of custom column groups.
  • Manage Column Groups displays the dialog for creating and editing custom column groups.
ActionsDisplays a drop-down menu with actions in the Legacy Events view:
  • Export an events as PCAP files, export logs, export endpoint events, or export meta values.
  • View an event reconstruction in a popup window or in a new tab.
  • Reset all filters in the Legacy Events view.


Create a new incident in Respond and add the selected events, or add selected events to an existing incident in Respond.

SearchDisplays the Search Events options, which allow you to specify the export log and export meta value format with additional options explained in Search for Text Patterns in the Navigate and Legacy Events Views.
SettingsDisplays the Investigation settings for the Legacy Events view (which are also available in the Profile view) so that you can change Investigation settings without navigating away from the Legacy Events view. When you change a setting In the Legacy Events view, the setting is also changed in the Profile view (see Configure the Navigate View and Legacy Events View).


Other features of the Legacy Events view are described in this table.

Show Additional Meta icon
(in the Detail View of an event)
Displays the rest of the metadata for the event.
the Event Analysis icon (in the Detail View of an event)Opens the selected event in the Events view.
the Events view page controls
(in the footer)

Pagination controls allow more flexibility in paging through a list of events. When a control is unavailable, the image is dimmed; for example, when you are viewing page 1, the the first page control and the previous page control controls are dimmed.

the first page control - Go to the first page

the previous page control - Go to the previous page

the page number control - Go to a specific page

the next page contorl - Go to the next page

the last page control - Go to the last page

the events per page control - Select the number of packets per page

When you select a number of events per page, the setting is saved in browser cache so that you do not have to select your preferred number of events each time you log in. The setting applies to all views: Log View, List View, and Details View.

Displaying 1-100 of 100,000 events (in the footer)

Displaying 1-25 of 100+ event matches (result limit of 100 events reached)
(in the footer)

Displays the count of events displayed versus the total number of matching events. In Version 11.3 and later, the footer includes a notification if the results limit configured by the administrator has been reached to let you know that more results are available but not viewable. To view the additional results, you need to refine the filter to get fewer results. Clicking the information icon the info icon in the footer displays the IP address and connecting port number for all services queried.

You are here
Table of Contents > Investigate Reference Materials > Legacy Events View