- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Event Details
For any event in the search results, you can open a Details panel. The panel opens on the right with the Event tab displayed. It includes the full raw message of the event and the entire list of parsed fields for that event.
Accessing Event Details
To access Event Details from different results views:
Timeline View – Do one of the following:
Click the options menu icon (
) on the right of the event row and select Event Details.Expand the event row and click the Event Details link.
List View – Click Event Details in the upper right corner of an event row.
Table View – Click on the event row.
 |
Note
If an event does not specify a time zone, the time in the parsed fields is reported in the local time zone. In the raw log message, the time remains as is.
If you are viewing results in the Timeline view, and the event for which you are viewing details is part of a group, the Details panel provides a tabbed view of details for each event. The Event tabs are numbered to correspond with the grouped event numbers in the Timeline view. You can click through the number Event tabs to view all of the event details. In this way you can scroll through all of the grouped events without leaving the Details panel. When displayed, each Event tab is displayed with a raw log message and a list of parsed fields.
If you open the Details panel from the options menu of the event row, the panel opens with the tab for the first event in the group displayed. If you open the the panel from the link on one of the events in the group, the panel opens with that specific Event tab displayed.
 |
Interacting with Event Details
You can interact with information on an Event tab in the ways described below.
Use the
icons at the top of the panel to navigate between event rows in the Search results.Click the
icon to close the Details panel and return to the Search results.Use the Search field at the top of the panel to search both the raw message and the list of parsed fields.
Use the numbered Event tabs below the Search field to view event details for different events that are part of a group in the Timeline view.
Use the arrow (
) icon in the top right corner of the Raw Log section to collapse and expand the log line. You can also click Show full log to expand the full log message.Click the Copy Raw Log to Clipboard icon (
) in the Raw Log section to copy the log line. This icon is only displayed when you hover your cursor over the Raw Log section.Click the
icon on the right side of any field in the PARSED FIELDS list, to toggle the field visibility on or off in the search results. Toggling the visibility also changes whether or not the field is displayed in parsed fields on the Timeline view of results and in the columns on the Table view of results.Click the enrichment indicator icon (for example:
) next to any field that contains enriched data to display an enriched field tooltip. The tooltip explains the type and source of the enriched data.
To display additional options for each field in the list, click the drop-down menu icon (
) that appears when you hover your cursor over a field row. 
Depending on whether or not the field was included in the original query, the options below are available:
Use the AND, AND NOT, or OR operators to add the field to your query.
Click Remove to remove the field from your query. (Available only for fields that are already included in the query.)
Click Copy to copy the value of the field to the clipboard.
Click Visualize Field to pivot immediately to the Dashboard app, where you will be presented with the visualization editor view with the information from your search query preconfigured.
