Create a Search

Select Search > +.

To execute a search, you must specify the query. You can use the default values for the fieldset, time range of data to search, and some additional settings or specify your preferred settings. Alternatively, you can load a saved query, criteria, or dataset.

If you tend to use the same settings for some search parameters, you might want to configure your preferred default setting. For example, you can configure a default time range. To use the same search query or query plus criteria for multiple searches, you should save the query or criteria. You can also save the results of an executed search and configure a default expiration time for searches. By default, session searches expire after 24 hours of inactivity and saved searches after seven days. Search truncates long queries, displaying to indicate additional content.

  1. Select Search > +.

  2. Enter the query in one of following ways:

    • To use a predefined System search, type #.

      The predefined searches might provide only a query expression or include search criteria such as a specific time range.

    • To manually enter the query, begin typing the expression.

      For example, type :

      Source Address = 192.10.11.12 and Destination Address= 192.10.11.12 or Destination Address in Subnet 192.10.*.*

    • To use a saved query, criteria, or search results, select .

    • To search data migrated from ArcSight Logger, select Logger from the list box next to the Search button.

    • To search for a field without data, enter [field_name] = Null.

    In the query, Search treats a comma (,) between the search fields and values as an OR operator.

  3. (Optional) To view all content in a very large query, select the Pin icon in the query input field.

    Otherwise, Search truncates long queries, displaying … to indicate additional content.

  4. Specify the fieldset that you want for displaying the search results.

    By default, Search displays your preferred default fieldset. If you have not specified one, Search display the Base Event Fields fieldset.

  5. For the time range, perform one of the following actions:

    • Accept the default time (Last 30 minutes).

    • From the menu, select a pre-defined value under Quick Ranges.

    • From the menu, use the Custom Range fields to specify a time range.

    • From the menu, select Dynamic, and then enter a dynamic date value.

    You can also specify the timestamp that you want to use for the retrieved events. Search uses Normalized Event Time (NET) by default.

  6. (Optional) To more easily find this session search later, give the search a name.

  7. (Optional) To run the search, click Search.

    Alternatively, you can press Enter when editing the query input field.

  8. (Optional) To save the query, criteria, or search results for future use, select the Save icon.