Refining a Search Based on Events
In the Search Results Area resulting from a Simple Search, you can refine the search with column values from the resulting events.
To refine your search based on an event:
In the Search Results Area, hover over a column value of an event, and after it is highlighted, click it.
A list of operations opens.Select one of the following operations:
Add to Search (AND) – To search for events matching the current search query AND the highlighted value in the event.
Add to Search (OR)– To search for events matching the current search query OR the highlighted value in the event.
Exclude from Search – To search for events matching the current search query, with the exception of those events that have the highlighted value in the event (AND NOT).
Replace Search – To replace the search query with the highlighted value in the event.
In the first three operations, the highlighted value is added to the current search query with AND, OR, or AND NOT, respectively. In the last case, the search query is replaced with the highlighted value.
The new search runs.
The added search condition appears under Active Filters in the Augmented Search Pane.Repeat steps 1 and 2 for all event values that you want to include in your search query.
At any point, you can restore the original query, or remove from the query a filter based on an event, by removing it from the Active Filters list (see Managing Active Filters).