Add Logs to a Case

You can add logs to a case from the Current Case panel or the Analyzer grid on the Dashboards page and Analyze page. To avoid adding irrelevant logs to a case, use the Search tool, Lucene search, or the Analyzer grid to filter out any logs that do not provide meaningful evidence.

To add logs to a case:

  1. On either the Dashboards page or Analyze page, on the lower-right side of the page, click the Logs tab to open the Analyzer grid.
  2. Select the logs you want to add to the case in the Actions column.
  3. Do one of the following:
    • Open the Current Case panel. At the top of the Current Case panel in the Current Case list, select the case to which you want to add the logs, and click Add Logs.
    • Select Add Logs to Current Case or Create New Case and Add Logs from the Actions menu in the Analyzer grid.
  4. The Add Logs to Case dialog box appears indicating the number of logs that you are adding to the case.
  5. In the Description text box, provide a brief description of the logs and their relevance to the case.
    You cannot continue without typing a description.
  6. Click Continue.
    All of the logs selected in the Analyzer grid are added to the case as evidence.

When a case is closed and the log evidence TTL has passed, a warning appears indicating the log cache is unavailable. You cannot view the evidence files on this case until you restore the log data from the CMDB. To restore evidence on a closed case, click Unarchive All Logs on the Evidence section of the Current Case panel or the Cases page.

