Display Results and Events
The Results tab shows the returned search results, by default displayed as a list. This is sometimes also referred to as the Event list that displays the results of a query. The list includes the columns that have been previously selected in the Fields panel. The @timestamp and @rawstring columns are displayed by default in the list. In the example screenshot below, actor.ip and actionName were selected, therefore they are included in the list.
The Results tab will always show the final results from the query. Depending on the contents and functions used in the query, other tabs may be displayed:If the query includes Aggregate Query Functions, then other tabs may also be displayed:
The Results tab displays the final results from the query, showing the final result set once all of the elements of the query including filters and aggregations have been completed.
The Events tab displays the raw event data after matches and filtering, but before aggregation (for example by
groupBy().
The Table tab will be displayed for each defined table (using
defineTable()) in the source query.
The display of matching entries for the table is limited to the first 500 rows.
You can change the way events are displayed from the toolbar above the Event list:
 |
Figure 65. Results Tab and Display Modes
Display options are (left to right in the toolbar):
Filter match highlighting allows highlighting results based on the filters applied in queries. See Highlight Filter Match for more information.
Scroll to selected event makes it possible to scroll fields starting from a selected event.
Text wrapping is used to wrap lines or truncate fields after the first line.
Sort events changes the order of fields in the event. You can choose whether newest events appear at the bottom or top of the list.
Hide event distribution chart allows hiding the event histogram to get more space when looking at data.
Toggle fullscreen displays events in full-screen mode.