Viewing Real-time Search Results

Real-time Search result shows matching events that occur from the current time onwards.

The search results are displayed in two panes:

  • Bottom pane shows the results in tabular form following the definitions in the Display Fields.
    Note that aggregations are not permitted in real-time search. Since results are coming in continuously, the results scroll and the latest events are shown at the top.
  • Top pane shows the counts of matched events over time.  

The following actions are possible while viewing Real-time Search results:

  • To pause the search, click Pause.
  • To restart the real-time search from the point you left off, click Resume after Pause.
  • To fast forward to the current time, click Fast forward.
  • To clear the result table, click Clear.
  • To restart the search all over again from the current time, click Stop and then Run.

In real-time search, only Event Type (like a unique ID) is shown. Event Names are not shown – enable Show Event Type while running a real-time query.

Raw events often take many lines to display in a search result. By default, Raw events are truncated and shown in one line so that user can see many search results in one page. To see the full raw event, click the Wrap Raw Event check-box.

Viewing Parsed Raw Events

Hover over a Raw Event Log cell and click Show Details. The display shows how FortiSIEM parsed that event.

To add an attribute to the filter criteria in the search:

  1. Check the Filter column.
  2. Click OK.
    The Attribute gets added to the filter condition.
  3. Re-run the query to get the new results

To add an attribute to the search display:

  1. Check the Display column.
  2. Click OK. The Attribute gets added to the display condition.
  3. Re-run the query to get the new results.

Zooming-in on a Specific Time Window

If you see an out of the ordinary pattern (for example, a spike) in the trend chart and want to drill down without typing in exact time range, there are two possibilities:

  1. Click on the bar – a new search tab is created by duplicating the original search and adding the right time window as seen by hovering on the bar
  2. Press and hold Shift key and drag the mouse over a time window – this modifies the time window in the current tab.
    Click Save and Run to see the results.