Configure Your User Preferences

Depending whether Multi-tenancy is enabled, select [your_ID] > Profile or Edit Profile > Preferences.

Some deployed capabilities enable you to configure preferences for commonly used settings. For example, if you regularly use the same fieldset for a Search, you can specify that set as your preferred default.

Configure Search Preferences

To reduce the time required to create and manage searches, configure Search to use your preferred settings. You can always override your preferences as needed when you create a search.

Default Fieldset
Specifies the fieldset that you regularly use for a search. The default value is Base Event Fields.
Default View
Specifies whether you want the Events Table to display results in the Grid View or Raw View. The default value is Grid View.
Time Zone

Instructs Search to adjust the timestamp for events to the chosen time zone:

  • Browser

  • Database

  • Custom

To specify the type of timestamp that you want to use, modify the preference for Base Searches On.

Date / Time Format

Specifies the format of dates and times that you want Search to use. The default is MM/DD/YYY HH:MM:S.

For example, you might want to use the same format that you have already configured for your browser. Alternatively, you might prefer a format like YYYY/MM/DD HH:MM:SS.

Default Time Setting

Specifies the time range within which you want Search to find events. The default is Last 30 minutes.

  • Dynamic

    If you prefer to use a dynamic time range, you must also specify the Start and End times. For example, specify $Now - 30m and $Now respectively.

  • Static

    If you use different time settings for each search that you create, you might want to select this option for your preference. The default is the preset value of Last 30 minutes.

  • Preset

    If you prefer to use a preset time range, you must also specify a preset value. For example, Last 24 hours.

Base Searches On

Specifies the timestamp associated with the events that you want to find:

  • Normalized Event Time

  • Device Receipt Time

  • Database Receipt Time

Default is Normalized Event Time.

Search Expires in

Specifies how often you want saved searches to expire, and thus tell the system remove them. The default value is 7 days, but you can specify a value between 1 and 365. Additionally, your System Admin might specify a different range.

You may override the system’s set expiration value, provided you have the permissions to do so. If you have the Never Expire Search Results permission, you can choose for a search to never expire. Keep in mind, the expiration time will reset when you access the search. Resetting the expiration time includes actions like creating or editing a search, resuming or re-running a search, or saving a search and changing its settings.

Session Search Expires In

Specifies how often you want session searches to expire, and thus be removed from the system. You can specify a value between 1 and 120 hours. However, your System Administrator might limit the available range. When you create or edit a search, you can override this default setting.

The expiration time for a fixed-time search resets whenever you change or run the search. For a real-time search, the session search expires once the specified expiration time is reached. You may reset the expiration time by running the search again or by modifying the query or criteria. However, you cannot reset the expiration clock once the search has expired.

When you edit a scheduled search, the value for Search expires in is the one specified when the scheduled search was created, Additionally, the unit of time cannot be changed. For example, if you create a scheduled search with the expiration time set to 10 days and then later change the unit of time to weeks, the value of 10 will still represent days.

To override the default expiration time, change the Search expires in setting for a particular session search. The Never Expire Session for Real-time Searches permission does not interfere with session expiration time for real-time searches.

Maximum Results for a Search

Specifies the maximum number of events (the search results limit) that the search will return. You can specify a value between 1000 and 10 million. The default is 300,000. When creating a search, you can override this preference.

Your admin can configure a system-level setting that controls the maximum number of searches (with a limit of 10 million) for all instances of ArcSight. If you enter a value outside of the system-level setting, you will receive an error message indicating that your preferred default cannot exceed the system setting.

For information about global search limits, see Understand Search Limits.

Highlight Query Syntax

Specifies whether you want Search to use color to differentiate the syntax terms from the operators and functions within the query. For example, in the figure below, Search displays the variable Source Address in blue, the value 11.0.* in red, and the operator in subnet in white.