Submit a ticketCall us

Bridging the ITSM Divide
Integrated help desk and remote support software for faster resolution

Join us on Wednesday, November 29, 2017 at 11 a.m. CT, as we discuss the benefits of effectively integrating your help desk software with remote support solutions to help increase the efficiency of IT administration, improve communication, and decrease mean time to resolution (MTTR) for IT issues of all sizes. This directly impacts end-user satisfaction and your business’ bottom line. Register Now.

Home > Success Center > Log & Event Manager (LEM) > LEM Administrator's Guide > nDepth view in the LEM console

nDepth view in the LEM console

Updated: September 15, 2017

The nDepth search engine (Explore > nDepth) locates and analyzes events on your network.

This topic provides help for the nDepth view in the LEM console. For more information, see About LEM nDepth search.

The nDepth search view

The following illustration shows the nDepth view.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/lem_qsg_view_historical_data34_731x394.png

Number Item Description
1 History Displays links to your recent nDepth search results.
2 Saved Searches Displays links to your saved nDepth search results.
3 Filters and groups sidebar Displays categorized lists of events, event groups, event variables, and additional options you can use to create conditions for your filters.
4 Search bar Searches all event data or the original log messages that pass through a LEM Manager. Drag the toggle switch to select Drag & Drop or Text Search mode.
5 Respond Displays a list of corrective actions you can execute when an event occurs, such as shutting down a workstation or blocking an IP address.
6 Explore Displays several utilities you can use to research an event, including Whois, Traceroute, and NSlookup.
7 Time Provides a drop-down menu to select the time range for your search.
8 Play Executes the selected search.
9 Histogram

Displays the number of events or log messages reported within the selected search time range.

10 Dashboard

Displays the search results in all available widgets. You can change this view by clicking a widget in the nDepth toolbar.

The File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-alerts_14x14.png icon indicates you are exploring event data. The File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-logmessage_14x14.png icon indicates you are exploring log messages.

11 nDepth Toolbar Organizes log data into categories to identify activity in your network. Click a selection to display the category below the histogram.

 

The nDepth history pane

Each nDepth explorer search adds an item to the Explore view history pane.

The File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-history-ndepth-alert_16x14.png represents an event data search. The File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-history-ndepth-logmssg_18x15.png represents an original log message search.

The following illustration displays an nDepth search of event data. When you hover over a history item, you can view the number of search results and your search string text.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/history.png


A new search adds a history item. If you click an earlier history item, the system takes you back to that search and does not make a new item. After you modify your nDepth search parameters and perform a new search, that search becomes a new history item.

The nDepth filters and groups list pane

Below is an example of the filters and groups list pane that displays in the Explore > nDepth view.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/filters-pane-ndepth_157x163.png


The following table describes each option in the filters and groups list pane.

Filter Description
Refine Fields

The top 100 data details for each field found in your nDepth search results. The details change, depending on whether you are searching event data or log messages. You can use these details to create, refine, or append nDepth search conditions. Click ABC to sort the details alphabetically within each category. Click 321 to sort the details by frequency within each category. The items that occur most often appear first within each category.

Managers

The various appliances monitored by the console. Use this list to select the Manager for your nDepth search. If you stored the original event log on a separate nDepth appliance, select this appliance to search that data.

In Drag & Drop Mode, you can drag an item from this list into the search box to include that item in the search string. When using Search Builder, you can drag an item from this list into the Conditions box.

Events All console event types. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/button-alertnodes_19x14.png to display the list as a hierarchical node tree. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/button-alertlist_18x13.png to list event types alphabetically, regardless of their position in the hierarchy.

User-Defined Groups

Groups of preferences used in rules and event filters to match, include, or exclude events, information, or data fields based on their membership with a particular Group. In most cases, these groups are used in rules for choosing which events to include or to ignore. These groups apply to Managers and are created in the Group Builder.
Connector Profiles Groups of Agents with common connector configurations. Use connector profiles with rules and filters to include or exclude Agents associated with a particular profile. You can create connector profiles in the Build > Groups grid.
Directory Service Groups Preconfigured groups of network computers and system users you can use in rules and filters. They allow you to match, include, or exclude events to specific users or computers based on their group membership. These groups are synchronized through the Groups grid.
Subscription Groups All console user names, and the Manager associated with each user. Each name represents the list of rules subscribed to each individual user. When you add a subscription group to a filter, you can build the filter so it only displays events messages related to specific rules that a particular user is interested in (or “subscribed to”). You can create subscription rules in the Groups grid.

The nDepth search bar

The search bar provides a method to search all event data or the original log messages that pass through a LEM Manager. You can search logs from various devices using predefined search parameters (such as Change Management Events) or search for specific data using a text search. The toggle switch in the search bar allows you to switch between the drag-and-drop and text search modes.
 

The following table describes the key features of the nDepth search bar.

Name Description

Mode selector

Use this toggle switch to select how you intend to enter the search string for your queries:

  • Select Drag & Drop Mode (upper position) to drag items from the list pane or the Result Details view directly into the search box. This is the recommended position, as it is it the easiest to use.
  • Select Text Input Mode (lower position) to type a search string directly in the search box. In this mode, the search box also shows the text version (or search string) of any search that is being run or configured in Search Builder or the Saved Searches pane.

Search box

This box contains your search conditions. You can enter search conditions a number of different ways.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-deletegroup.png

Click a delete button next to a condition or a group to remove that condition or group from the current search configuration.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/operator-and.png AND

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/operator-or.png OR

The search bar includes AND and OR operators. These operators let you include AND and OR relationships between conditions and groups of conditions, when you have multiple conditions in your search string. Click the operator icon to toggle between AND and OR relationships.

Group summary When you have a group of conditions, the search bar displays the conditions as a summary. To see the actual conditions, point to them. A ToolTip appears that shows each condition in the group.
icon-delete(x).png

Click this Delete All button to delete the entire contents of the search box, so you can begin a new search.

icon-search.png

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-searchbutton-red.png

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-stopquery-x.png

Click this button to begin a search, or to stop a search that is in progress.

  • Click icon-search.png to begin searching.
  • If the search button turns red File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-searchbutton-red.png, it means the current search configuration is invalid.
  • Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-stopquery-x.png to stop a search that is in progress.

Time selector

In the time selector, select a time frame for the search. If needed, you can create your own custom time frame.

Data selector

Use this toggle switch to choose the data you want to nDepth to explore:

  • Select Events (left position) to search LEM's normalized event data. This is the event data that appears in the Monitor view.
  • Select Log Messages (right position) to search the actual log entries that are recorded on your network products' log files. If Log Messages is disabled, it means your equipment is either disabled, or it does not have the capacity to store and search the original log messages. However, you can still search the data in the Events position.

Drag-and-drop search mode

When the toggle switch is in the File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/lem-ug-search-bar-switch-up_19x18.png (up) position, nDepth search is in Drag and Drop Mode. In this mode, you can drag items from the List pane or Results Details directly into the search box to initiate a search for a specific event.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/lem-ug-search-bar-drag-and-drop-mode2.png

In this mode, the search bar includes AND and OR operators. These operators let you include AND and OR relationships between conditions and groups of conditions, when you have multiple conditions in your search string.


For example, when you click a saved search, the search parameter populates the search bar. The File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/operator-or_7x12.png icon at the end of the search bar indicates an OR operator.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/lem-ug-search-bar-drag-and-drop-mode.png


When you click the operator icon, it changes to the AND File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/operator-and_8x13.png operator.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/lem-ug-search-bar-drag-and-drop-mode3_319x32.png


Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-deletegroup.png next to a condition or a group to remove your condition or group from the current search configuration.
 

The search bar synchronizes with Search Builder.

Creating search conditions

The following table describes how to add search conditions in Drag & Drop Mode and in Text Input Mode.

To Do this Mode
Drag and Drop Text
Clear a search from the search box Click Delete All next to Play File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-search_19x15.png on the search bar.
Add a new search

Clear a search from the search box, and then add new search conditions using any method listed in this table.

Add conditions to an existing search Use any method listed in this table. nDepth automatically adds new search conditions to the search string.
Add a search condition from a widget or other graphical tool Click an item in a graphical tool to add that item to the search box.
Add a search condition from the list pane In the Refine Fields list, double-click an item.
In any list, click and drag an item into the search box.  
Add a search from Search Builder

Configure a search with Search Builder. Search Builder automatically populates the search bar with the search configuration. The search bar and Search Builder are different views of the same search.

Add a search condition from the Result Details view Select a character string from the data, and then double-click the string to add it to the search box.
Select a character string from the data, and then drag it into the search box.  
Select a character string from the data, and then copy and paste it into the text box.  
Type a search string Type a search string directly in the search box.  
Perform the search Click Play File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-search_17x14.png on the search bar.

The nDepth histogram

The nDepth histogram displays the number of events or log messages reported within your search time frame. nDepth returns search results chronologically so you can investigate a specific interval. You can minimize the search window to take a closer look or maximize the window to view additional activity.

nDepth's histogram summarizes event activity within a particular period. By default, the histogram displays the last 10 minutes of event activity. The bright zone shows the period that is currently being reported. The gray zones show activity outside of the reported period.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/histogram-summary.png

The bottom time bar is divided into one-minute intervals. The top bar is divided into 30-second intervals. The histogram displays a separate bar for each 30-second interval. Time is displayed in 24-hour (military) time.

Clicking a bar opens a pop-up window that shows a histogram for that bar's interval. Depending on range of the search's time frame, these intervals can be as little as 5-seconds. Pointing to a bar shows the total number of events that occurred in that interval. Clicking a bar opens a pop-up window to show a histogram for the selected interval.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/histogram-detail.png

When you switch to the Result Details view, the histogram displays two dashed vertical lines. These lines are markers, indicating where you are in the histogram for each page of the search results. The lines show the times of the first and last event on the current Result Details page.

By default, the ▲ shows the time of the first result on the page. If you select an event in the Result Details box, the pointer shows the time of that event.

When you view the search results of events number 1-200, the left line shows the time of event number 1, and the right line shows the time of event number 200. If you click event number 150, the ▲ shows the time that event occurred.

Search activity associated with a particular histogram bar

Use the histogram to search the event activity associated with a particular vertical bar in the histogram.

To search activity for a bar, double-click a vertical bar. nDepth automatically refines the search and refreshes the data to show only the events from the time frame associated with that bar.

Adjust the search period

You can use the nDepth histogram to move the search period to an earlier or later start time. For example, when you search a 30-minute time frame, you can search the data for the same period, but adjust the search period within the 30-minute time fame.

  1. Move your mouse pointer over the histogram.
  2. Locate the gray slider that appears in the window.
  3. Drag the slider to the left to move the period to an earlier starting point. Drag the slider to the right to move the period to a later starting point.

    As you move the slider, a ToolTip displays the period's midpoint time.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/histogram-cntrslider.png

  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-zoomin_13x13.png to run the search for the new time frame.

    nDepth automatically refines the search and refreshes the data to display only the events from the new time frame. Modifying the period automatically changes the search bar time selector to Custom.

  5. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-zoomout_14x14.png to restore the previous time frame (if desired).

Change the period start and end time

You can use the nDepth histogram to change the search period by changing its start time and end time. For example, if you run a search for a 30 minute period, you can expand the time frame (for example, 45 minutes) or reduce the time frame (for example, 20 minutes),

  1. Move your mouse pointer over the vertical bar.
  2. Drag the vertical bar to a new destination.

    Drag the left or right slider to change the time frame start or end time, respectively. When you release the slider, a tooltip shows the new start time.

    File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/histogram-leftslider2.png

  3. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-zoomin_15x15.png to run the search for the new time frame.

    nDepth automatically refines the search and refreshes the data to show only the events from the new time frame. Changing the time frame automatically changes the search bar time selector to Custom.

  4. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-zoomout_15x15.png to restore the previous time frame (if desired).

The nDepth explorer toolbar

This toolbar provides links to dashboards that display your data in different formats. You can also access Search Builder and details about your search results from the toolbar.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/dashtoolbar_488x55.png

The following table describes the function of each option on the nDepth explorer toolbar. Each option provides a different view of the data from the most recent search.

In any explorer view, if a particular chart configuration does not logically apply to the data you are exploring, that chart is disabled.

Tool View Description
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-dashboard.png Dashboard

Displays each nDepth view as a small widget. You can minimize and maximize each widget or edit the chart widgets to change their appearance. This is the default view.

Word Cloud Displays keyword phrases that appear in your event data. Phrases appear in a size and color that relate to their frequency. You can filter this view to zero in on a range of activity or click a phrase to create or append a search based on that phrase.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-treemap.png Tree Map

Displays the items that appear most often in the data as a series of categorized boxes that correspond with the data categories in the Refine Fields list.

The box size in each category is associated with its relative frequency. The more often an item occurs, the larger its box appears. You can hover over small boxes to open a tooltip and display its contents or click a box to create or append a search based on that item.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-barchart.png Bar Charts A group of widgets that display your most frequent data items as a series of bar charts, which correspond to the relative frequency. The more often an item occurs, the larger its bar appears. You can hover over a bar to open a tooltip or click a bar to create or append a search based on that item.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-linechart.png Line Charts A group of widgets that display your most frequent data items as a series of line graphs. The height of point on the graph corresponds with the item's relative frequency. The more often an item occurs, the higher the point appears on the graph. You can point to an item on the graph to show information about it. You can also click a point on the graph to create or append a search based on that item.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-piechart.png Pie Charts A group of widgets that display your most frequent data items as a series of pie charts. The size of each pie wedge corresponds with the relative frequency. The more often an item occurs, the larger its wedge appears. You can hover over a wedge to view additional information or click a wedge to create or append a search based on that item.
File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-bubblechart.png Bubble Charts

A group of widgets that display your most frequent data items as a series of circles or bubbles. The size of each bubble corresponds with the relative frequency. The more often an item occurs, the larger its bubble appears. You can hover over a bubble to display additional information or click a bubble to create or append a search based on that item.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-resultdetails.png Result Details

A text-based view of the data you are investigating. This view also supports nDepth search capabilities. You can create or refine searches by dragging and dropping search strings from the data into the search box.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-searchbuilder.png Search Builder

A graphical interface used to create and refine complex searches. You can drag items from the nDepth list pane directly into the Search Builder Conditions box to configure complex searches. Search Builder is similar to the Filter Creation tool.

The nDepth word cloud

The nDepth word cloud summarizes your event activity by displaying the top 100 keyword phrases that appear in your event messages.

Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-wordcloud_18x16.png in the toolbar to open the widget.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/wordcloud_698x244.png

Phrases appear in a size and color that relates to their frequency. Phrases that appear in warm colors (red, orange, and yellow) and in larger print represent the phases that occur most frequently. These are your hot items.

Phrases that appear in cool colors (green and blue) and in smaller print occur with the least frequency. These are your cool items. Cool items may still be important. They just occur less frequently than hot items.

View Statistics in the word cloud

A word cloud includes statistics about each item listed in the cloud. To view your cloud statistics, point to a phrase in the word cloud. A tooltip displays, showing the keyword phrase, its count (the number of times it occurs in the reported period), and its percentage. The percentage is based on the relative frequency of the phrase compared to other reported phrases.

Filter the word cloud contents

Two horizontal bars display at the bottom of the word cloud. The top bar is a color gradient that goes from red (hot) to blue (cool). These colors correspond with the colors of the phrases displayed in the Word Cloud.

The lower bar controls which parts of the gradient the word cloud are allowed to display. You can use this bar to filter the world cloud so it only displays that section of the gradient you want to see. By default, the word cloud displays everything associated with the entire gradient—all items that are hot, cool, and in between.

By default, the word cloud displays the top 100 phrases, and the sliders are automatically adjusted to this width. If you manually adjust the sliders, nDepth remembers the left position and automatically adjusts the right position so the word cloud displays up to 100 phrases between the left and right positions. If all 100 phrases can be shown within the positions you've selected, the sliders will stay in place.

Slider settings are stored with each word cloud. As a result, you can create word clouds in the dashboard that are adjusted differently from the primary word cloud view.

To hide hot items, drag the lower bar's left-hand slider to the right. To hide cool items, drag the lower bar's right-hand slider to the left. To restore the Word Cloud, drag the sliders back to their far-left and far-right positions.

Exploring Items in the word cloud

You can use the word cloud to explore a particular phase, by using as the basis for a new search, or to append an existing search. To explore an item in the word cloud, click the phrase you want to explore. When the phrase appears in the search bar, click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-search_17x14.png to show the results associated with your search.

The nDepth tree map

The tree map summarizes your event activity in categories based on common event data fields. The size of each box corresponds with the relative frequency of its occurrence. The more often a detail occurs, the larger its box appears.

Click the File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-treemap_18x16.png in the toolbar to open the widget.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/treemap2_604x312.png

Most categories correspond with actual event fields, as they appear in the Monitor view. When you are working with log messages, the tree map organizes into categories based on common log message data fields. Some data categories may not always be present. If there is no event activity associated with a particular data category or field, it will not appear in the tree map.

The items that appear in the tree map view are the same source files data field categories and values listed in the Refine Fields list at the top of the list pane. You can click and select an item from the tree map as a search condition. If a box is too small to show its contents, point to it to open a tooltip that displays its contents.

Resize tree map categories

To maximize a category, click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-treemap-max_15x13.png in the targeted box toolbar. When maximized, a tree map category can show very small items within it. If a box is too small to show its contents, you can point to it to open a tooltip that shows its contents.

To restore a category to its proportional size, click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-treemap-min_16x14.png icon in the targeted box toolbar.

Explore items in the tree map

You can use the Tree Map to explore a particular item by using the item as the basis for a new search, or to append an existing search. Click the item you want to explore. A search string for that item appears in the search bar. Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-search_17x14.png on the search bar. After a moment, nDepth refreshes to show the results associated with your search.

The Result Details view

The Results Details view displays the raw data displayed in the graphical views. You can create or refine searches by dragging and dropping search strings from the search data into the nDepth search box.

You can use Result Details in Events mode to view and search normalized event data found in the Monitor view or Log Messages mode to view and search the original log message data collected and stored on the LEM (or another dedicated nDepth appliance).

You can use your nDepth search results to refine your nDepth searches, explore event details with other explorers, or initiate an active response to event details.

Interpret search results in Events mode

Use Events mode to search all normalized event data reported in the Monitor view. This data is pulled from the LEM appliance.

The following table describes how to interpret your data search results in Events mode.

Name Description

Event number

The incremented event number. Each row represents a new event.

Date and time stamp

The time and date the event occurred.

Event name

The name of the event that occurred.

EventInfo

Additional information about the event. You can select these details to refine your nDepth search, explore them with other explorers, or respond to them with an active response.

Interpreting search results in Log Messages mode

In Log Messages mode, you can use nDepth to search all of the original log messages that pass through a particular network appliance (or host). Below is an example of the nDepth Result Details view with the original log message data.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/interpret-logmessagedata.png

The following table explains how to interpret search results of data in Log Messages mode.

Item Name Description

1

Event number

The incremented event number. Each row represents a new event.

2

Data and time stamp

The time and date the event occurred.

3

Log message The log message that matched your search criteria.

4

Host

The Manager or appliance that logged the message.

5 ToolId

The actual product or tool that generated the message.

6 ToolType

The SolarWind tool category that generated the message.

Tool IDs and Tool Types match SolarWinds tool configuration categories.

Adding search strings from Result Details

Use the following procedures in the Results Details view to highlight and select character strings and create new search conditions from the data.

To Do this

Selecting data

Highlight a continuous character string

Point to the character string.

 

Select a continuous character string

Point to the character string to highlight it. Click the string to select it.

After you select a character string, an orange box surrounds the string. Every matching character string in the search results is selected as well.

Select a phrase (two or more character strings separated by spaces)

Click the first character in the string, and then drag across the string to select the remaining content.

After you select a character string, an orange box surrounds the string. Every matching character string in the search results is selected as well.

Select a data row

Click the event number in the row. When the row is selected, an orange highlight bar appears to the left of the row.

Creating search conditions from Result Details data

Clear the search box to add a new search condition

  1. On the search bar, click to clear the search box.
  2. Add a new search condition by using any of the techniques in this table.

Add a search condition from Result Details data

  1. Select a character string in the data.
  2. Double-click the selected string to add it to the search box.

Select a character string in the data, and then drag it into the search box.

Copy and paste a character string from Result Details data into the search box

  1. Change the search bar to Text Input mode.
  2. Select a character string in the data.
  3. Copy the search string.
  4. Click the search box, and then paste the character string into the text box.

Type a search string in the search box

  1. Change the search bar to Text Input mode.
  2. Type the search string directly in the search box.

Add conditions to an existing search

  1. In the data, select the character string you want to append to the existing search conditions.
  2. Double-click the selected string or drag the string into the search box.

    Your selection is appended to the existing conditions.

Using Explorers with Result Details

Use the nDepth Result Details view to access additional explorers to investigate specific details that you find in your nDepth search results.

You can select specific values and pass them in to the value-based explorers (such as Whois, NSLookup, and Traceroute). For example, you can investigate a suspicious IP address with these explorers to learn more about that IP address.

When you view data in Events mode, each row in the search results represents the data for an individual event. You can select the row for an event you want to explore, and then pass the row into the Event Explorer to explore that event.

To explore details in search results:

  1. Open the Result Details view.
  2. Select the character string or row you want to explore.

    Select the character string you want to investigate. When selected properly, the character string is surrounded by an orange box.

    If you are viewing data in Events mode, select the row you want to explore in the Event Explorer. When you select a row, an orange highlight bar appears to the left of the row.

  3. Click Explore and select the explorer you want to use.

    The Explore > Utilities view displays, and the system passes the selected data to your selected explorer.

  4. Click Search or Analyze to explorer the string.

Search Builder

This section describes the main features of Search Builder.

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/searchbuilder-callouts_487x402.png

The following table describes the Search Builder features.

Item

Name

Description

1

Undo

Redo

Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-undo_18x13.png to undo your last action. You can undo up to 50 steps.

Click File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/icon-redo_19x13.png to redo the last action. You can redo up to 50 steps.

2

Search bar

Displays the current search parameters.

If the search bar is in Drag and Drop mode, it displays your configuration search parameters, which match the parameters in the Conditions box. If the search bar is in Text Input mode, the search bar displays the current search parameter as a search string.

 

3

List pane

Contains categorized lists of events, event groups, event variables, groups, profiles, and constants you can use to creating conditions for your filters. For nDepth searches, you can only use the Refine Fields and Managers lists.

The Refine Fields list summarizes all of the primary event details from your search results. The Managers list includes each Manager and appliance that can be used with nDepth for searching data.

4

Histogram pane

Investigates a specific time interval. Drag the left and right borders to increase or decrease the search time line.

5

Executes the search.

6

Conditions box

Defines the conditions for the data reported by the filter. Configure conditions by dragging items from the list pane into the Conditions box.

 

7

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1240-nDepth_view_in_the_LEM_console/button-addgroup.png

Adds a new group within the group box. A group within a group is a nested group.

Each group is subject to AND and OR relationships with the groups around it and within it. By default, new groups appear with AND comparisons.

8

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/button-deletegroup.png

Deletes a condition, group, and any groups nested within the group.

9

Group

Individual groups (and the entire Conditions box) can be expanded or collapsed to show or hide their settings:

  • Click to expand a collapsed group.
  • Click to ▼ collapse an expanded group. The number that appears in parentheses indicates how many conditions are contained in the group.

After you configure a group, you can collapse it to avoid any unwanted changes.

10

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/operator-and.png AND

File:Success_Center/Reusable_content_-_InfoDev/LEM/Log_and_Event_Manager_Administrator's_Guide/LEM_Administrator's_Guide/1290-The_Rule_Builder_form_in_the_LEM_console/operator-or.png OR

Boolean operators that define the relationships between your search conditions. Click the operator icon to toggle between AND and OR conditions.

This topic provides page-level help for the
Last modified

Tags

Classifications

Public