Event Inspector
The Event Inspector is a tool for examining event details (see Events and Event Categorization for information about events). The Event Inspector is located in the ArcSight Console's Inspect/Edit panel. To open the Event Inspector, double-click an event line in a grid view. See Views.
There are two panels in the Event Inspector. The top panel displays selected events with associated rules. The events listed here have a set of right-click menu commands similar to those described in Using Active Channel Menu Commands. The bottom panel displays event details for one or more events that have been selected from the top panel. If you select more than one event from the top panel, only their common values are displayed in the bottom panel.
The Event Inspector can display the chain of events that trigger a rule (see Rules) and generate a correlation event. From the Event Inspector you can view each event and rule in the chain for details.
Depending on the information available for an event, you may also be able to review its business significance in the Impact Analysis tab or its actual content in the Payload tab.
Tip: Viewing global variables in the Event Inspector
When you view events in an active channel and open an event that contains a global variable field in the Event Inspector, you may need to refresh the Event Inspector view to see the global variable fields, because the Manager processes global variable data differently from regular event data.
-
If your Hide Empty Rows icon is toggled on (so that empty rows are not displayed), you may not see global variable field in the event inspector.
-
To refresh the view, de-select, then re-select the Hide Empty Rows icon.
See also: Inspecting and Editing.
Note: The overall set of event-attribute fields is defined in Data Fields, but you can make or use custom subsets with the Field Set Editor (see Field Sets). Choose a set name to see only that predefined set of fields.