Investigate: Filter and Search Results in the Events View

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Apr 25, 2019
Version 17Show Document
  • View in full screen mode
 

Analysts can filter events in the Events view by searching for events or selecting the service, setting the time range, and querying the metadata. If you opened the Events view from a Navigate view drill point, the view opens to the Detail view of events by default. Analysts who do not have permissions to use the Navigate view can query services directly from the Events view.

Note: When an Archiver is the currently selected service in the Events view and you are searching against a Broker or Concentrator, the search is slower than if searching against a Broker or Concentrator because the data on the Archiver is compressed and there is typically more data.

Filter Events Displayed in the Events View

To filter the data displayed in the Events view:

  1. Go to INVESTIGATE > Events.
    The Events view is displayed.
  2. To select a time range other than the default (Last 3 Hours), in the toolbar, click the time range field and select a value. For example, Last Hour.
    The Events view is refreshed with the selected time range.
  3. To enter a query for the selected service and time range, in the toolbar, click Query.
    The Simple Query dialog is displayed.
    Simple Query dialog
  4. If you want to enter a simple query using the auto-complete feature to select meta and operators, do one of the following:
    1. Click in the Select Meta field and select a meta key from the drop-down list.
    2. Select an operator from the drop-down list in the Operator field.
    3. Type a value to match in the Value field.
    4. Select Network, Log, or Endpoint data, and click Apply.
      The matching data is displayed in the Events view.
  5. If you want to enter a more complex query based on your knowledge of the meta keys and operators:
    1. Click Advanced.
      The Advanced Query dialog is displayed.
      Advanced Query dialog
    2. Type a query. As you type the query, beginning with the meta key, drop-down lists of available meta keys and operators are displayed. When finished, click Apply
  6. If you want to select a query from a list of recent queries:
    1. Select Recent.
      The Recent Query dialog is displayed.
      Recent Query dialog
    2. Select a query and click Apply.
      The matching results for the query are displayed in the Detail View in the Events view. The breadcrumb reflects the query.
    3. In the breadcrumb, you can click any of the crumbs to display the Query menu. You can insert a new query before a crumb, and append a new query to the end of breadcrumb. After each edit in the breadcrumb, the results are refreshed.

Search for Events in the Events View

You can search the currently displayed data in the Events view by entering a search string in the Search field. The search string can be a regex (Regular Expression) or it can be a simple text search. provides detailed information on these search types.

To search within the currently displayed data in the Events view:

  1. Place the cursor in the Search box, type a search string, and press Enter or click Search.
    The search results are displayed in the Events view. Events that match the search criteria are displayed. In the Details view and List view, matches are highlighted in the Details column. In addition, when searching RAW, matches are highlighted in the Log view Logs column. Below is an example of the search results for the search term India in the Events Detail view. (Search matches are not highlighted in any Event Reconstruction.)
    example of search results
  2. If you want to narrow the search, change the query and time as described above in #Filter.
  3. If you want to stop the search and return to the Events view, click Cancel
    Any results that are displayed remain.
  4. To clear the search box and return to the normal Events view, click X in the search box.

Page Through Events in the Events View

Pagination controls allow more flexibility in paging through a list of Events in the List View, Logs View, or Details View. You can select the number of events to display per page, and your selection is saved across logins to the NetWitness application. When a control is unavailable, the control is dimmed; for example, when you are viewing page 1, the and controls are dimmed.

To use pagination controls:

  1. With results displayed in the Events view, click the current number of events per page (10, 25, 50, 100, or 200), and select the new number of events per page from the drop-down menu.
  2. To page forward or back, use the page control icons:
    Click to go to the next page.
    Click to go to the last page.
    Click to go the previous page.
    Click to go to the first page.
  3. To go to a specific page, type a page number in the page number field .

You are here
Table of Contents > Examining Raw Events in the Events View > Filter and Search Results in the Events View

Attachments

    Outcomes