To create an event cache for later viewing, perform the following procedure.

Procedure

  1. In the console menu, click Reports > Events.
  2. Configure the view that includes the events you want to cache, using any of the following tools that help to refine that view:
    • Existing Saved Views – If any existing Saved View matches or is similar to the view you want, you can start with that view to create your cached event view. For example, you might choose the New Files (Unapproved) view if you are in Low or Medium Enforcement and want to see files on endpoints that should be approved.
    • Filters – Use either the Show Filters link or the funnel icon in a table column or cell to add or modify the view using any of the filter categories.
  3. Determine the time period for events you want to cache. You can do this in one of two ways:
    • Max Age – You can use the Max Age field to designate the length of the time period for which you will cache events. If you use Max Age and no other Timestamp filters, the end of the time period is always the time of cached event processing (not the time that you clicked the Cache button). For example, if you choose 1 day for Max Age and the cache processing occurs at 12:30AM, cached events include events from 12:30AM the previous day until 12:30AM the day the cache is processed.
    • Timestamp Filters – If you have a more specific time period (both beginning and ending) that you want to cache events for, use the Filters panel and set both before and after Timestamps.
  4. If you add any filters to the view, click the Apply button in the Filters panel.
  5. When you have defined the event data you want cached, create a Saved View for that data by entering a name in the text box to the left of Add and clicking Add. This name displays on the Saved Views menu on the main Events page and is also the name for these events on the Cached Events page.
  6. While this view is still showing, click the Cache button.

Results

The events in the view are queued for caching. Cache requests in the server queue are run at each night at approximately 12:30AM local time and the results are available on the Cached Events page the next day.

After you create an event cache, the view you defined for that cache is run every night until you remove it from the Cached Events page. If you define the view using the Max Age property, each new processing deletes the oldest day and adds the latest day to the results.

You cannot edit or rename a cached view. If you need to modify the view, create a new one on the events page and delete the old one.