If you're looking to verify that a given device is generating logs, what you most likely want is DetectionIP = <device IP or hostname, depending on what gets logged>. That will only show you events that come from that device, rather than events generated on another device. It would be the best way to demonstrate a device is logging.
For example, to find events from the server named 'dc01' with IP '192.168.10.140', I would look for:
DetectionIP = "dc01*" OR "DetectionIP = "192.168.10.140"
(this covers the case where some logs on that source are using the IP instead of the hostname)
DetectionIP: this is the IP address that the log file includes as the originating device. For example, if you're syslogging your firewall to the LEM appliance, the firewall's IP will be DetectionIP. (Sometimes these can be names, sometimes IPs, it depends on what the device sends with the log) EVERY event type has this field.
- Searching for "DetectionIP = <hostname>" means "show me events that originated from <hostname>"
InsertionIP: this is the IP address/name of the "trusted" LEM endpoint. If it's an agent, it'll be the agent's name/IP, if it's the appliance, it'll be the appliance's name/IP. In the example of logging syslog data to the appliance, the appliance's name/IP will be InsertionIP. (These are commonly names, but if you look in your console you'll see what to expect) EVERY event type has this field.
- Searching for "InsertionIP = <hostname>" means "show me events that were received by agent or manager <hostname>
SourceMachine: several key events have this field, including logon/off activity and network activity. This is the originating source of the traffic/event, and is provided by the log data. For example, the source of network traffic, or the location someone was logging on from. NOT every event type has this field, but a large number do.
- Searching for "SourceMachine = <hostname>" means "show me events where the SourceMachine field (source of the event/attack) was <hostname>"
DestinationMachine: similar to the above - this is the destination of the traffic/event, provided by the log data. For example, the destination of the network traffic, or the location someone was logging on TO. NOT every event type has this field, but a large number do.
- Searching for "SourceMachine = <hostname>" means "show me events where the SourceMachine field (source of the event/attack) was <hostname>"
And, finally, searching for "IP Address = <hostname>" means "show me events where ANY of the above conditions were met for <hostname>".
That <hostname> could be the originating source, the agent/appliance, the source of the event/attack, or the destination of the event/attack. Since it could be anywhere in the event, it doesn't tell you that device is logging (necessarily), but it does tell you it was either the source/destination OR originator of an event.
Well... I honestly don't know if this is documented and wouldn't be surprised to find that it's not. The LEM User Guide is probably your best bet. Feel free to verify with the support team, though! I worked on LEM from its inception up to about a year ago when I left SolarWinds so most of my advice is from internal knowledge and experience. Not much of the fundamentals have changed, yet anyway!