In the Legacy Events view, the Actions menu has an option to export events from the event being viewed to an archive.

Note: You can only export files that you have permission to view or access.

The export function queries the service for all sessions inside the selected time range and drill point to extract the content of each session. The details being exported are affected by both the time range and drill point at the time of exporting. In the File Extraction dialog, you can choose to export:

  • PCAPs
  • Logs
  • NetWitness Endpoint events
  • Meta values

The format of the exported archive: ZIP or GZIP file. After you send the request, a job is scheduled and you can track the job in in the Jobs tray. If there is an error retrieving the log or PCAP from the service, an error notification is displayed.

To extract files from an event:

  1. While in the Event view, click an event.
  2. Click Actions > Export..
    EvVwExMnu.png
  3. Select the export option.
    A message informs you that the PCAP is being downloaded.