Save a Real-time Search

Requires the Real-time Threat Detection service in the ArcSight SaaS environment.

You can save the results of your real-time search. The saved dataset can include all received events or just the events associated with the current histogram range. You must pause the search to save the current dataset. However, the system continues to receive events for the search in the background. Thus the number of saved events might be slightly greater than events in the Results Table at the moment you paused the search.

1. In the Search tab, pause the search.

2. Click the Save icon .

3. Select Search Results (Dataset).

   You also can choose to save just the search criteria.

4. Specify a name for the saved search.

   • Each saved search must have a unique name.

   • We do not recommend using the same names for saved search queries, criteria, and results.

5. Specify the time range of the events that you want to save:

   Histogram time range

   Saves only the events associated with the time range currently displayed in the Event Histogram. For example, 7:30 AM to 9:12 AM.

   Entire time range

   Saves all results received for the search.

6. Specify how long you want to store the dataset.

   For example, if you have Log Management and Compliance (Recon) and the Never Expire Search Results permission, you can configure the search results to never expire. By default, saved results expire after 7 days or your preferred setting.

7. Select Save.

 

For more information about creating and viewing the results of a real-time search, see Create a Real-time Search and View the Results of a Real-time Search.