2.2 Creating and Saving Searches

Recon supports up to 10 active searches and 40 saved searches per user.

2.2.1 Create a Search

For every search, you must enter the query input, search result fields, and the time period for which you want to search events. Queries are case sensitive. The query input determines the search type (full text, natural language, or contextual). As you specify the criteria for a search query, Search suggests search items and operators based on a schema data dictionary. You can also choose from predefined queries.

If you tend to use the same settings for some search parameters, you might want to specify a preferred default setting. For example, you can configure a default time range.

NOTE:Recon treats a comma (,) between search items and values as an OR operator.

  1. Select Search > + New Search.

    You can choose search data migrated from ArcSight Logger.

  2. Specify the query parameters.

    For example:

    Source Address = 192.10.11.12 and Destination Address less than 192.10.11.12

    Enter # to view the predefined queries.

  3. To search for a field without data, enter [field_name] = Null.

  4. Specify the fieldset you want for the search results.

    By default, Search displays the your preferred default fieldset. If you have not specified one, Search display the Base Event Fields fieldset.

  5. For the time range, perform one of the following actions:

    • Accept the default time (Last 30 minutes)

    • From the drop-down menu, select a pre-defined value under Quick Ranges

    • From the drop-down menu, use the Custom Range fields to specify a time range

    • From the drop-down menu, select Dynamic then enter a dynamic date value

    You can also specify the timestamp you want to use for the retrieved events. Search uses Normalized Event Time by default.

  6. Click Search.

    Search begins populating the Events Timeline and Events table. Depending on the number of events retrieved, the search might pause to indicate that the amount of data could impact the search performance. You might want to select a smaller time range. To resume a search, click the play button in the progress bar.

  7. (Optional) To more easily find the search later, give the search a name.

  8. To save the search for future use, select Save.

2.2.2 Save a Search

After you execute a search, Recon automatically saves the search if you navigate away from the search page to another Recon feature, the Dashboard, or the Admin pages. However, your search is not automatically saved if you close the browser or tab or when you log out. To permanently save your search, you can add it to the Saved Searches list.

You can delete the search from the saved list at any time. You can also configure Search to automatically delete searches after a specific time.

To permanently save your search:

  1. (Optional) Give the search a name.

  2. Select Save.

  3. To view your search, select Saved Searches.

2.2.3 Name a Search

By default, Recon gives each search the title Search <N>. You can apply a custom name to the search at any time.

  1. When viewing the search, select beside the search’s name.

  2. Enter the custom name.

  3. To save your changes, select the Check icon.

2.2.4 Find a Saved Search

Select Search > Saved Searches.

Recon saves up to 40 searches. You can sort the table of saved searches by the search name, query, number of results, or date it was saved. To more easily find searches, you can give them custom names.