Recon ingests log data from ArcSight Logger and SmartConnectors routed through Transformation Hub and events from ArcSight Enterprise Security Manager. Each entry in a log is referred to as an event. Recon accepts events from Transformation Hub and organizes them to maximize search and storage efficiency.
The Search feature enables you to search events by entering a search command, a time window over which to search, and the fields from the Unified Event Schema. Search displays results in an Events Timeline chart, which a histogram shows the number of events returned over event occurrence time. The Events table below the Timeline shows events returned by search. When you select an event, Search displays the Event Details panel.
Search uses a database that serves as the main data store, as well as a cache. The search engine is a scalable server-side application that executes and caches large search queries in the database. In the backend, Recon saves your searches, user preferences, and proxy search requests to the search engine using a REST API. The database stores three timestamps for each event to provide more clarity in your search results. When creating a search, you specify the timestamp to use for retrieving events.
For the query’s time range, you can choose a fixed start and end date, where you cannot refresh data, or a predefined date range. For example, for the last 30 minutes predefined search, you receive updates upon re-executing the search based on the most recent 30 minutes. Alternatively, you could specify dynamic dates, such as Midnight on the first day of the current month.
After initiating a search, you can pause, restart, and cancel the process as needed. A progress bar shows you the percent of retrieved data.