Skip navigation
All Places > Products > RSA NetWitness Platform > RSA NetWitness Platform Online Documentation > Documents
Log in to create and rate content, and to follow, bookmark, and share content with other members.

Investigate: Filter Results in the Legacy Events View

Document created by RSA Information Design and Development Employee on Sep 18, 2017Last modified by RSA Information Design and Development Employee on Oct 16, 2020
Version 23Show Document
  • View in full screen mode
 

Analysts can filter events in the Legacy Events view by searching for events or selecting the service, setting the time range, and querying the metadata. If you opened the Legacy Events view from a Navigate view drill point, the view opens to the Detail view of events by default. Analysts who do not have permissions to use the Navigate view can query services directly from the Legacy Events view.

Note: When an Archiver is the currently selected service in the Legacy Events view and you are searching against a Broker or Concentrator, the search is slower than if searching against a Broker or Concentrator because the data on the Archiver is compressed and there is typically more data.

Filter Events Displayed in the Legacy Events View

To filter the data displayed in the Legacy Events view:

  1. Go to Investigate > Legacy Events.
    The Legacy Events view is displayed.
    the Legacy Events view
  2. To select a time range other than the default (Last 3 Hours), in the toolbar, click the time range field and select a value. For example, Last Hour.
    The Legacy Events view is refreshed with the selected time range.
  3. Create a query as described in Create a Query in the Navigate and Legacy Events Views.
    The matching results for the query are displayed in the Detail View in the Legacy Events view. The breadcrumb reflects the query. In the breadcrumb, you can click any of the crumbs to display the Query menu. You can insert a new query before a crumb, and append a new query to the end of breadcrumb. After each edit in the breadcrumb, the results are refreshed.

Page Through Events in the Legacy Events View

Pagination controls allow more flexibility in paging through a list of Events in the List View, Logs View, or Details View. You can select the number of events to display per page, and your selection is saved across logins to the NetWitness application. When a control is unavailable, the control is dimmed; for example, when you are viewing page 1, the and controls are dimmed.

To use pagination controls:

  1. With results displayed in the Legacy Events view, click the current number of events per page (10, 25, 50, 100, or 200), and select the new number of events per page from the drop-down menu.
  2. To page forward or back, use the page control icons:
    Click to go to the next page.
    Click to go to the last page.
    Click to go the previous page.
    Click to go to the first page.
  3. To go to a specific page, type a page number in the page number field .

You are here
Table of Contents > Refining the Results Set > Filter Results in the Legacy Events View

Attachments

    Outcomes