Recon ingests log data from SmartConnectors routed through ArcSight Transformation Hub. Each entry in a log is referred to as an event. Recon accepts events from Transformation Hub and organizes them to maximize search and storage efficiency. The Search feature enables you to search events by entering a search command, a time window over which to search, and the fields from the Unified Event Schema. Search displays results in an Events Timeline chart, which a histogram that shows the number of events returned over event occurrence time. The Events table below the Timeline shows events returned by search.
Search uses a database that serves as the main data store, as well as a cache. The search engine is a scalable server-side application that executes and caches large search queries in the database. In the backend, Recon saves your searches, user preferences, and proxy search requests to the search engine using the REST API.
For the query’s time range, you can choose a fixed start and end date, where you cannot refresh data, or a predefined date range. For example, for the last 30 minutes predefined search, you receive updates upon re-executing the search based on the most recent 30 minutes. Alternatively, you could specify dynamic dates, such as Midnight on the first day of the current month.
After initiating a search, you can pause, restart, and cancel the process as needed. A progress bar shows you the percent of retrieved data.