Viewing raw events

You can view raw event data, which is the unparsed event data from the log source.

About this task

When you view raw event data, the Log Activity tab provides the following parameters for each event.

Table 1. Raw Event parameters
Parameter Description
Current Filters The top of the table displays the details of the filters that are applied to the search results. To clear these filter values, click Clear Filter.
Note: This parameter is only displayed after you apply a filter.
View From this list box, you can select the time range that you want to filter for.
Current Statistics When not in Real Time (streaming) or Last Minute (auto refresh) mode, current statistics are displayed, including:
Note: Click the arrow next to Current Statistics to display or hide the statistics
  • Total Results - Specifies the total number of results that matched your search criteria.
  • Data Files Searched - Specifies the total number of data files searched during the specified time span.
  • Compressed Data Files Searched - Specifies the total number of compressed data files searched within the specified time span.
  • Index File Count - Specifies the total number of index files searched during the specified time span.
  • Duration - Specifies the duration of the search.
    Note: Current statistics are useful for troubleshooting. When you contact Customer Support to troubleshoot events, you might be asked to supply current statistical information.
Charts Displays configurable charts that represent the records that are matched by the time interval and grouping option. Click Hide Charts if you want to remove the charts from your display. The charts are only displayed after you select a time frame of Last Interval (auto refresh) or above, and a grouping option to display.
Note: If you use Mozilla Firefox as your browser and an ad blocker browser extension is installed, charts do not display. To displayed charts, you must remove the ad blocker browser extension. For more information, see your browser documentation.

Offenses icon

Click this icon to view details of the offense that is associated with this event.

Start Time Specifies the time of the first event, as reported to QRadar by the log source.
Log Source Specifies the log source that originated the event. If there are multiple log sources that are associated with this event, this field specifies the term Multiple and the number of log sources.
Payload Specifies the original event payload information in UTF-8 format.

Procedure

  1. Click the Log Activity tab.
  2. From the Display list box, select Raw Events.
  3. From the View list box, select the time frame that you want to display.
  4. Double-click the event that you want to view in greater detail. See Event details.