Classic Search: Running a Search

Make sure to remove this topic after Classic search is deprecated

The Analyze > Classic Search page has been deprecated on this release. Micro Focus recommends Custom Fieldsets from the Analyze > Search page instead.

You can use the options displayed on the Classic Search page to help create and run your search query. To access this page, go to Analyze > Classic Search page.

Search Bar Legend

Description	Description
Load a saved filter	Set time range
Save query	Search time field
Clear query	Select fieldset
Open Search Analyzer	Open Advanced Search Builder
Update search options	Enter query
Start or cancel search	Open search history
Export search results	Go to Search

Description

Load a saved filter

Set time range

Save query

Search time field

Clear query

Select fieldset

Open Search Analyzer

Open Advanced Search Builder

Update search options

Enter query

Start or cancel search

Open search history

Export search results

Go to Search

Click the down-arrow to view and adjust the search options. Use the default values or change them as needed:

Local Only: This option is only displayed when peers have been configured for your system. Local Only is checked by default. If you want to include peers in your search, uncheck the Local Only checkbox. If you do not see this checkbox, no peers have been configured on your Logger. See Searching Peers (Distributed Search) for more information.

To disable this parameter (both in Classic and Search page), go to the Logger.properties.file and set to false the property search.localOnlyChecked. Manually add the property if required.

Field Summary: Lists the selected CEF fields in the displayed events. By default, the selected fields include: deviceEventClassId, deviceProduct, deviceVendor, deviceVersion, and name; you can edit this list to suit your needs. Selecting this option enables the Discover Fields option. See The Field Summary Panel for more information about the Field Summary and Discover Fields options.
Discover Fields: Lists the non-CEF fields discovered in raw events. This option is only taken into consideration when Field Summary has been selected.
Auto Refresh: By default, search results are not automatically refreshed, and will expire in ten minutes (the default), or whenever the configured expiry time is reached (See Concurrent Searches). Select this option to have the Search results auto refresh for the selected search. You can select from the following refresh intervals: 30 seconds, 60 seconds, 2 minutes, 5 minutes, or 15 minutes.
Sort: Select Oldest Event First or Newest Event First, depending on how you want the search results to display.
Fieldset: By default, all fields (All Fields) are displayed in the search results. However, you can select another predefined field set or specify a customized field set. See Fieldsets for more information.
Time Range: By default, the query is run on the data received in the last ten minutes. Click the drop-down list to select another predefined time range or specify a custom time range. See Time Range for more information.
Search type: Allows to search based on the time events occurred or were receipt by the Logger. See Search based on Event Time for more information.

Specify a query expression in the Search text box using one or more of the following methods.

Note: Refer to Keyword Search (Full-text Search), Field-Based Search, and Searching for Rare Field Values for instructions, exceptions, and invalid characters before you create a query expression.

Type the query expression in the Search text box. For information about building a query expression, including lists of applicable operators, see Elements of a Search Query.
When you type a query, Logger’s Search Helper enables you to quickly build a query expression by automatically providing suggestions, possible matches, and applicable operators. See Search Helper for more information.
Use these guidelines to include various elements in a search query:

For a complete list of fields in Logger schema, see Field-Based Indexing.
Metadata terms (_storageGroup, _deviceGroup, _peerLogger)

Type “_s” (for storage group), “_d” (for device group), or “_p” (for Logger) in the Search text box to obtain a drop-down list of constraint terms and operators.
Regular expression term (|REGEX=)

Note: If your query expression includes multiple device groups and storage groups to which search should be constrained, make sure that the group names are enclosed in a square bracket; for example, _storageGroup IN [“SGA”, “SGB”].
Click Advanced to use the Search Builder tool. (See Classic Search: Using the Advanced Search Builder for more information.) Also, use this option to specify device groups, storage groups, and Loggers to which search should be limited.

Click the icon to load a saved filter, a system filter, or a saved search. Select the filter or the saved search from the displayed list and click Load+Close. For more information, see Searching with Saved Queries and System Filters/Predefined Filters.

Optionally, you can start a concurrent search in a new browser tab. See Concurrent Searches.