Create a Search

Select Search > +.

To execute a search, you must specify the query. You can use the default values for the fieldset, time range of data to search, and some additional settings or specify your preferred settings. Alternatively, you can load a saved query, criteria, or dataset.

If you tend to use the same settings for some search parameters, you might want to configure your preferred default setting. For example, you can configure a default time range. To use the same search query or query plus criteria for multiple searches, you should save the query or criteria. You can also save the results of an executed search and configure a default expiration time for searches. By default, session searches expire after 24 hours of inactivity and saved searches after seven days. Search truncates long queries, displaying … to indicate additional content. To see the entire query, you can pin the input field.

If you exceed the search limit, the system displays following error message when you create a new search: "An error occurred while creating search. Exceeding the limit of 1000 searches." You cannot create anymore searches if this error displays. Contact your Administrator to increase the search limit or delete some existing searches. For more information about increasing the search limit in a non-SaaS environment, see Configuring the Deployed Capabilities in the Administrator's Guide for the ArcSight Platform. If you are a SaaS customer, reach out to Support to increase the search limit.

Select Search > +.
Enter the query in one of following ways:
- To use a predefined System search, type #.
  
  The predefined searches might provide only a query expression or include search criteria such as a specific time range.
- To use a search operator, such as eval and wheresql, begin typing the operator's syntax.
  
  For example, type:
  
  ... | where <expression>
- To manually enter the query, begin typing the expression.
  
  For example, type :
  
  Source Address = 192.10.11.12 and Destination Address= 192.10.11.12 or Destination Address in Subnet 192.10.*.*
- To use a saved query, criteria, or search results, select .
- To search data migrated from ArcSight Logger, select Logger from the list box next to the Search button.
- To search for a field without data, enter [field_name] = Null.
In the query, Search treats a comma (,) between the search fields and values as an OR operator.
(Optional) To view all content in a very large query, select the Pin icon in the query input field.

Otherwise, Search truncates long queries, displaying … to indicate additional content.
Specify the fieldset that you want for displaying the search results.

By default, Search displays your preferred default fieldset. If you have not specified one, Search display the Base Event Fields fieldset.
For the time range, perform one of the following actions:
- Accept the default time (Last 30 minutes).
- From the menu, select a pre-defined value under Quick Ranges.
- From the menu, use the Custom Range fields to specify a time range.
- From the menu, select Dynamic, and then enter a dynamic date value.
You can also specify the timestamp that you want to use for the retrieved events. Search uses Normalized Event Time (NET) by default.
(Optional) To limit the number of results received from the search, complete the following steps:
1. Select to the right of the query input field.
2. For Maximum search results, specify the maximum number of results that you want to receive in the dataset.
(Optional) If you do not want this search to expire in the default time, complete the following steps:
1. Select to the right of the query input field.
2. For Search expires in, specify the number of hours that Search will store the session.
(Optional) To more easily find this session search later, give the search a name.
(Optional) To run the search, click Search.

Alternatively, you can press Enter when editing the query input field.
(Optional) To save the query, criteria, or search results for future use, select the Save icon.