- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Event Details
For any event in the search results, you can open an Event Details panel. The panel opens on the right with the Event tab displayed. It includes the full raw message of the event and the entire list of parsed fields for that event.
Accessing Event Details
To access Event Details from different results views:
List View – Click View all fields in the upper right corner of an event row.
Table View – Click on the event row.
Note
If an event does not specify a time zone, the time in the parsed fields is reported in the local time zone. In the raw log message, the time remains as is.
You can scroll through the events in the panel and expand and collapse different sets of event details by clicking on the events. Click on an event to expand it and click it again to collapse it. In this way you can scroll through all of the grouped events without leaving the Event Details panel. When expanded, each event is displayed with a raw log message and a list of parsed fields.
Interacting with Event Details
You can interact with Event Details information in the ways described below.
Use the
icons at the top of the panel to navigate between result events.Click the
icon to close the Event Details panel and return to the Search results.Use the Search field at the top of the panel to search both the raw message and the list of parsed fields.
Use the arrow (
) icon in the top right corner of the Raw Log section to collapse and expand the log line.Click the Copy Raw Log to Clipboard icon (
) in the Raw Log section to copy the log line. This icon is only displayed when you hover your cursor over the Raw Log section.Click the
icon next to any field in the PARSED FIELDS list, to toggle the field visibility on or off in the search results. Toggling the visibility also changes whether or not the field is displayed in parsed fields on the Timeline view of results and in the columns on the Table view of results.Click the enrichment indicator icon (for example:
) next to any field that contains enriched data to display an enriched field tooltip. The tooltip explains the type and source of the enriched data.
To display additional options for each field in the list, click the drop-down menu icon (
) that appears when you hover your cursor over a field row. 
Depending on whether or not the field was included in the original query, the options below are available:
Use the AND, AND NOT, or OR operators to add the field to your query.
Click Remove to remove the field from your query. (Available only for fields that are already included in the query.)
Click Copy to copy the value of the field to the clipboard.
Click Visualize Field to pivot immediately to the Dashboard app, where you will be presented with the visualization editor view with the information from your search query preconfigured.
