Create a Fixed-time Search

A fixed-time search uses a custom range with specific start and end dates. You can choose to specify dynamic dates, such as midnight on the first day of the current month.

  1. Select Search > +.

  2. Enter the query in one of following ways:

    • To use a predefined System search, type #.

      The predefined searches might provide only a query expression or include search criteria such as a specific time range.

    • To use a search operator, such as eval and wheresql, begin typing the operator's syntax.

      For example, type:

      ... | where <expression>

    • To manually enter the query, begin typing the expression.

      For example, type :

      Source Address = 192.10.11.12 and Destination Address= 192.10.11.12 or Destination Address in Subnet 192.10.*.*

    • To use a saved query, criteria, or search results, select .

    • To search data migrated from ArcSight Logger, select Logger from the list box next to the Search button.

    • To search for a field without data, enter [field_name] = Null.

    In the query, Search treats a comma (,) between the search fields and values as an OR operator.

  3. (Optional) To view all content in a very large query, select the Pin icon in the query input field.

    Otherwise, Search truncates long queries, displaying … to indicate additional content.

  4. Specify the fieldset that you want for displaying the search results.

    By default, Search displays your preferred default fieldset. If you have not specified one, Search displays the Base Event Fields fieldset.

  5. Click Fixed-time.

    If you do not have the Real-time Threat Detection Service, the application automatically defaults to Fixed-time.

  6. For the time range, perform one of the following actions:

    • From the menu, select a pre-defined value under Quick Ranges.

    • From the menu, use the Custom Range fields to specify a time range.

    • From the menu, select Dynamic, and then enter a dynamic date value.

    You can also specify the timestamp that you want to use for the retrieved events. Search uses Normalized Event Time (NET) by default.

  7. (Optional) To limit the number of results received from the search, complete the following steps:

    1. Select to the right of the query input field.

    2. For Maximum search results, specify the maximum number of results that you want to receive in the dataset.

  8. (Optional) If you do not want this search to expire in the default time, complete the following steps:

    1. Select to the right of the query input field.

    2. For Search expires in, specify the number of hours that Search will store the session.

      For information about how long session searches are stored, see the "Session Search Expires In" section of Configure Your User Preferences.

  9. (Optional) To more easily find this session search later, give the search a name.

  10. (Optional) To run the search, click Search.

    Alternatively, you can press Enter when editing the query input field.

  11. (Optional) To save the query, criteria, or search results for future use, select the Save icon.

 

For additional information about viewing results and saving fixed time searches, see View the Event Inspector and Save a Fixed-time Search. For information about search limits, see Understand Search Limits. For information about real-time searches, see Understand Fixed-time versus Real-time Searches.