Create a Real-time Search

Requires the Real-time Threat Detection service in the ArcSight SaaS environment.

Real-time searches show live results of your query, based on a start time that you specify (for example, the last 30 minutes). As long as there is data to satisfy the query, the Results Table and Event Histogram continue to build, and the time scale below the histogram continues to show progress.

Real-time search is not available for data imported from Logger.

  1. Display the Search tab.

  2. Enter a query in the search field.

  3. Define the search settings.

  4. Click the drop-down menu for the Timestamp interval.

  5. Select the type of Timestamp for the event.

    Search uses Normalized Event Time (NET) by default.

  6. Click Real-time.

    The user interface displays only settings related to real-time searches. As your search results are returned, the screen, including the event histogram, refreshes every 30 seconds.

  7. Select a Start time from. Your choices are Last 5 Minutes, Last 15 Minutes, Last 30 Minutes, Last 1 Hour, and Last 12 Hours.

  8. (Optional) Check or uncheck the "Do not accumulate data" option, based on how you want the default histogram start time behavior to be.

    Data will be accumulated in the background, this option pertains only to the default histogram time window behavior. For more information about real-time search limits, see Understand Search Limits.

  9. Click Search.

Even if it is not selected in the current fieldset, Database Receipt Time field is automatically displayed for real-time searches.

You can run at most 25 concurrent real-time searches.

 

For information about viewing the results of and saving real-time searches, see View the Results of a Real-time Search and Save a Real-time Search.

For information about creating a fixed-time search, see Create a Fixed-time Search.