When an event has multiple records, it doesn't give much information on the screen. I think that maybe a different approach may be needed to make it more readable. See the attachment for an example of a crowded summary line (highlighted).
attachment
Thanks for your report.
On one hand it would make sense to use one line per record, it is the "natural representation", and filters work by matching events that contain a record that matches the filter; in the current system you can create a set of columns that show the fields you want on one line (collected from more than one record), but you can't create a filter that would match a combination of the fields.
On the other hand, splitting events into records would prevent showing a path and the context of a file access-related AVC on one line.
I can't think of a good solution offhand. "Make it configurable" works, but isn't very intuitive...
I have a suggestion FWIW which may be easily accomplished:
Since for example I have in this view desired to see the "node" field, you could eliminate that one from the "Other Fields" column. Ditto the "type" ... however in the case where there are more than 1 record types per event it would be desirable to see all unique types in the "type" column delimited by maybe a slash ("/") like "SYSCALL/PATH/CWD". That way the info the user deems important is not repeated in the following line and maybe it would condense the unique data.
Log in to comment on this ticket.