2.3 Creating and Saving Searches

Recon supports up to 10 active searches and 40 saved searches per user.

2.3.1 Create a Search

For every search, you must enter the query input, search result fields, and the time period for which you want to search events. Queries are case sensitive. The query input determines the search type (full text, natural language, or contextual). As you specify the criteria for a search query, Recon suggests search items and operators based on a schema data dictionary. You can also choose from predefined queries.

NOTE:Recon treats a comma (,) between search items and values as an OR operator.

  1. Select Search > New Search.

  2. Specify the query parameters.

    For example:

    Source Address = 192.10.11.12 and Destination Address less than 192.10.11.12

    Enter # to view the predefined queries.

  3. To search for a field without data, enter [field_name] = Null.

  4. Specify the fieldset that you want for the search results.

    By default, Recon displays the name of the last used fieldset.

  5. For the time range, perform one of the following actions:

    • Accept the default time (Last 30 minutes)

    • From the drop-down menu, select a pre-defined value under Quick Ranges

    • From the drop-down menu, use the Custom Range fields to specify a time range

    • From the drop-down menu, select Dynamic then enter a dynamic date value

  6. Select Search.

    Recon begins populating the Events Timeline and Events table. Depending on the number of events retrieved, the search might pause to indicate that the amount of data could impact the search performance. You might want to select a smaller time range. To resume a search, click the play button in the progress bar.

  7. (Optional) To more easily find the search later, give the search a name.

  8. To save the search for future use, select Save.

2.3.2 Save a Search

After you execute a search, Recon automatically saves the search if you navigate away from the search page to another Recon feature, the Dashboard, or the Admin pages.

However, your search is not automatically saved if you close the browser or tab or when you log out. To permanently save your search, you can add it to the Saved Searches list. You can delete the search from the saved list at any time.

To permanently save your search:

  1. (Optional) Give the search a name.

  2. Select Save.

  3. To view your search, select Saved Searches.

2.3.3 Name a Search

By default, Recon gives each search the title Search <N>. You can apply a custom name to the search at any time.

  1. When viewing the search, select beside the search’s name.

  2. Enter the custom name.

  3. To save your changes, select the Check icon.

2.3.4 Find a Saved Search

Select Search > Saved Searches.

Recon saves up to 40 searches. You can sort the table of saved searches by the search name, query, number of results, or date it was saved. To more easily find searches, you can give them custom names.