Using the Event Search Box

The Events page includes a Search text box that helps you quickly locate events that match strings you enter.

Search strings are matched against data in the following fields:

File Hash
Source
Subtype
Platform
IP Address

If data in these fields in the Events database matches the string, an auto-completion menu provides a list from which you can select the item you wanted to see.

The Events page displaying the auto-completion menu list for the string entered

When you select an item from the list, the table is filtered in one of two ways:

If you checked Automatically apply before entering the search screen, clicking on an option in the menu immediately filters the table to show only events matching that string in the appropriate field.
If you did not check Automatically apply, clicking on an option in the menu opens the Filters panel with a filter configured to show only events matching that string in the appropriate field. You can add other filters before applying the changes to the table view.

Table 1. Event Report Fields
Field	Description
`Saved View`	Name for this report. If you are creating a new report, enter any text that indicates the purpose of the report in the right text box of Saved Views and then click Add. The report is saved and listed by its new name in the Saved Views menu with the other reports.
`Maximum age`	Time period of interest. Events in the report are between the time the report is run and a specified period in the past (hours, days, weeks, or months). Your selection takes effect immediately. The Filters panel allows you more options for setting a time window, including Timestamp, for which the start and/or end date does not have to be the current date and time.
`Rows per page`	Maximum number of events displayed on a single page in the Events table. This is controlled on a per-user basis by the rows per page menu in the bottom right below the table. The default value is 25. If your report includes more items than the rows per page setting, the console creates more pages and a page number panel for navigation.
`Group by`	Data field (column) by which you want to group results for default display and the sort order (ascending or descending). Group by creates expandable lists that initially only show the group name (for example, security policies) and number of items per group, but can be clicked to show the members of the group (for example, computers). Not all column names are available for grouping. The order of the groups in Group by (and Subgroup by) can be specified as one of the following: Ascending – Display the groups in ascending alphabetical order. Descending – Display the groups in descending alphabetical order. Ascending by count – Display the groups based on the number of results (rows) in each group, from fewest to most. Descending by count – Display the groups based on the number of results (rows) in each group, from most to fewest.
`Subgroup by`	Similar to `Group by`, except it creates a second level of grouping within the first group.
`Show Filters`	Event fields to apply to the report. You can specify any combination of filters to determine which events are included. Although most filters are for data that is clearly associated with the file or computer in the event, the following are special cases: Subtype – Subcategories of events for all event types. You can specify one or more event subtypes for display. If you select no subtype, the console searches for all. Severity – Filter enables you to show or hide events based on standard Syslog message severity guidelines, categorized as follows: Critical Debug Error Info Notice Warning Severity status for each log message is shown in the Severity column. Note: In previous releases, the column and filter now labeled Severity was called Priority.
`Show Columns`	Information to be included as columns in the Events table. Use arrows to specify which columns are displayed and in what order: Items in the Selected list are displayed in the table. Items in the Available list are not displayed in the table.