Viewing Historical Search Results
Historical Search results are displayed in two panes:
- Bottom pane displays the results in tabular view following the definitions in the Display Fields.
- Top pane displays the trends over time:
- For non-aggregated searches, the trend is for event occurrence and is displayed in a trending bar graph. Each bar captures the number of entries in the table during a particular time window.
- For aggregated searches, the trend is for any of the (numerical) columns with aggregations. Trends are displayed for the Top 5 entries in the table. For integer values, such as COUNT (Matched Events), you will see a trend bar graph, while for continuous values such as AVG(CPU Utilization), you will see a line chart.
Both the bar and line charts show trends in a stacked manner, one for each row in the table. To see the trend for a specific row, disable all the other entries by deselecting the check box in the first column. To view the trend for a set of entries, you can select the check box corresponding to those entries.
For continuous values, you can toggle between a stacked view and a non-stacked view:
- To show the stacked view, click .
- To show the line chart view, click .
If there are multiple aggregate columns:
- Select a specific column in the Chart for in top right to see the Chart for that column.
- Select one column for Chart for and another column for Lower Chart to see the two charts at the same time – one on +ve Y-axis and one on –ve Y-axis. This generally makes sense when the values are of the same order. For example, AVG(CPU Utilization) and AVG(Memory Utilization) or AVG(Sent Bytes) and AVG(Recv Bytes).
You can visualize the results in other charts by clicking the drop-down. See FortiSIEM Charts and Views for descriptions of the available charts.
Events in FortiSIEM have an Event Type (like an unique ID) and an Event Name, a short description. When you choose to display Event Type, the Event Name is automatically displayed but Event type is hidden to make room to show other fields. To see the Event Types, click the Show Event Type check-box.
Raw events often take many lines to display in a search result. By default, Raw events are truncated and displayed in one line so that user can see many search results in one page. To see the full raw event, click the Wrap Raw Event check-box.
Using Search Result Tabs
A search result typically shows many rows. To drill down into a specific value for a specific column, hover over the specific cell and choose Add to Filter or Add to Tab. Add to Filter modifies the search on the current tab by including this constraint. Add to Tab on the other hand, gives you the option to keep the current tab intact and add the constraint to a new tab or to a tab of your choice. This enables you to see multiple search results side by side. Click Add to Tab and select the tab where the constraint needs to be added. The filter conditions and display columns are copied over to the new tab.
Zooming-in on a Specific Time Window
If you see an unusual pattern (for example, a spike) in the trend chart and want to drill down without providing an exact time range, do one of the following:
- Click the bar – a new search tab is created by duplicating the original search and adding the right time window as seen by hovering on the bar.
- Press and hold the Shift key and drag the mouse over a time window. This modifies the time window in the current tab. Click Apply & Run to see the results.
Viewing Parsed Raw Events
Hover over a Raw Event Log cell and click Show Details. The display shows how FortiSIEM parsed that event.
Adding an Attribute to the Filter Criteria in the Search
Complete these steps to add an attribute to the filter criteria in the search:
- Check the Filter column.
- Click OK.
The Attribute is added to the filter condition. - Re-run the query to get the new results.
Adding an Attribute to the Search Display
Complete these steps to add an attribute to the search display:
- Check the Display column.
- Click OK.
The Attribute is added to the display condition. - Re-run the query to get the new results.