Raw Data Format

Based on your search query, the results are displayed in Raw data format. Each event is summarized per row.

The column value options are displayed in the following illustration:

The same result set can be viewed in the Table Format.

Using the raw data format, you can perform the following tasks:

  • Showing or hiding columns from the Raw data

    Click the Columns button to on or off to show the selected columns below the event, or to hide columns to view events in the raw format.

  • Wrapping long events

    Click the Wordwrap button to on or off to indicate if long event should break at normal word break points or to display long events.

  • Highlighting keywords

    By default, the Highlight keyword option is set to on for queries that include CONTAINS or LIKE statements. Click the Highlight on or off link to highlight keywords or remove highlighting from the keywords. This option is not visible for queries that do not include CONTAINS or LIKE statements.

    In the following illustration, when the search query is: USE system | (sys_body CONTAINS 'logapp '), the keyword logapp is highlighted.

  • Filtering data

    Click the column value and select Include this Filter to filter the data based on the value. If you select Exclude this Filter, the results exclude the specified value.

    Note: To filter by any text in the body of the log events (sys_body column), turn the Messages view on, select the required text, and right-click the selected text.

    The Data panel displays results immediately based on the defined filters. You can add multiple filters to fine-tune your search results. You can update the existing filter value. Click on the value to open the Enter value field. Update the value in the field and click . The results are refreshed immediately based on the new filter.

    The following illustration displays the Raw data showing filtered results for sys_body contains 'logapp'.

    • Click to show or hide filters from the Data panel.
    • Click the column value and select Include this filter on the Result tab to filter the data based on the value in a new Result tab. If you select Exclude this filter from Result tab, a new Result tab displays results excluding the specified value.
    • You can filter based on the event body. Drag the mouse to select the event body and select Include this filter to filter your results based on the event body filter. The selected keyword is highlighted in the results. If you select Exclude this filter the results exclude the specified event body.
  • Sorting columns

    You can sort on any column, including group-by count(*) column, group-by aggregation-columns, and other columns. Click the column value and then select Sort Ascending to sort columns in  order. Click the column value and then select Sort Descending to sort columns in descending order.

  • Grouping by values

    Click the column value and select Group by to view grouped results. A new Result tab opens showing grouped results for the selected value. The number of groups is displayed against the column name in the Columns pane. However, for time-based columns, the number of unique values is displayed instead of the number of groups.

    To group by different time range options, click the time value, select Group Dates by option, and then select the period to group your results by different time periods. The Table panel is refreshed showing the results that are grouped by the defined time period. When grouped by sys_eventTime, the results are sorted in ascending order.

  • Hiding columns from the Raw data

    Click the column value and then select Hide to hide the selected column from the Raw data format.