Customize display of query results

After you run a query, you can customize how your results are displayed.

Customize display

You can customize the results section of the Application Control Events dialog.

  • Grouping results by column header. Drag a column header into the top of the results table. This action groups your returned results according to the column header selected.

  • Use the Searching tool to include only those events that match your search criteria. The search applies to all columns. Criteria could include file names or extensions, user or machine names for example. In the case of the Denied Executables query, where a number of event IDs are returned, you could search for a particular event ID, for example.

  • Apply Filtering to one or more column headers. This allows you to include OR exclude events that match your criteria.
    Select Show Filter Editor to add filters to the query results, or hover over a column header and select the filter icon.
    The Filter Editor dialog opens, allowing you to specify filter criteria.

    Refer to the Privilege Discovery use-case video for an illustration of creating and applying a filter.

  • Select Choose Columns to customize which columns display in the query results.

  • Reorder the columns by dragging the column headers to new locations.

  • Select within a column header to sort the column in ascending or descending order.

Group query results

The results table header includes the text: Drag a column header here to group by that column.

  1. To group your query results, select a column header and drag it to the header row within the dialog.

  2. Results are grouped according to the column header applied. In the example below, results are grouped according to Company Name.

  3. You can further group results to build a structured list. The grouping structure is indicated within the table header.

Ungroup query results

  1. To remove a group, select the group you want to remove in the table header row.

  2. To remove the group and retain the column in your returned results, drag the selection to a column header.

  3. To remove the group and remove the column from the returned results, drag and drop the selection anywhere outside the Events

To initiate a search, enter the text you want to find into the search bar, then click Find.

If the Search tool is not visible, right-click on a column header in the Results view and select Show Find Panel from the context menu.

Tips for the Event Viewer search tool

  • The Search tool works only on the information currently visible. Right-click on the column headers to add or remove columns to be searched.

  • If a filter has been applied, only updates matching both the search criteria and the filter criteria are displayed.

  • All partial matches are displayed.

  • The search is not case sensitive.

  • The use of wildcards is not supported.

  • Select Clear to clear the search criteria.

Select Show Filter Editor or hover over a column header and select the filter icon. You also can right-click the column and select Filter Editor from the menu.

  1. In the Filter Editor dialog, enter the criteria required. In the example shown, we create a filter to show only those where the path begins C:\users

  2. Select OK, or select Apply to view the filter results and then OK when you wish to proceed.

  3. To remove the filter, clear the checkbox next to the filter criteria.