A search query can either have a fixed start and end date, where you cannot refresh data, or a time range that captures the most recent data. For example, if you choose the predefined Last 30 minutes setting, Recon updates data upon re-executing the search based on the most recent 30 minutes. Alternatively, you can create a dynamic date range.
The time range that you specify in the time range selector is inclusive. Search includes the whole second as the end time. For example, if you specify a time range between 2018-01-01 12:00:00 and 2018-01-01 12:59:59, Search includes all data from 2018-01-01 12:00:00.000 to 2018-01-01 12:59:59.999, inclusive.
Search offers a flexible, dynamic setting for the time range where you can enter the desired time stamp without using the calendar to specify days, hours, and minutes. The dynamic date range uses the following syntax:
<dynamic_time>
or
<dynamic_time> [+/- <units>]
For example, to search for events that have occurred in the last two hours, you can specify $Now – 2h for Start time and $Now for End time. To find events that have occurred this week, you can enter $CurrentWeek for Start time and $Now for End time.
To enter a dynamic date range:
When viewing a search or starting a query, select the currently specified time range.
For the start or end time under Custom Range, select Dynamic.
To specify the dynamic_time, enter one of the following values:
|
Value |
Represents |
|---|---|
|
$Now |
The current minute |
|
$Today |
Midnight of the current day |
|
$CurrentWeek |
Midnight of the previous Monday (or same as $Today if today is Monday) |
|
$CurrentMonth |
Midnight on the first day of the current month |
|
$CurrentYear |
Midnight on the first day of the current year |
To specify the units, enter one of the following values:
|
Value |
Represents |
|---|---|
|
m (lowercase) |
Minutes |
|
h |
Hours |
|
d |
Days |
|
w |
Weeks |
|
M (uppercase) |
Months |
Search can display results based on the timestamp associated with each event. The database stores three different timestamps for each event. For peak performance, Search automatically uses the Normalized Event Time setting. However, you can specify any timestamp setting for a search. You can also choose to make the timestamp the default setting.
NOTE:The Date Picker displays this Timestamp setting on when searching for events.
Database Receipt Time (dBRT) represents the time when the database received the event. The database considers this timestamp as the persisted time of the event.
Device Receipt Time (DRT) represents the time when the connected device claims the event occurred. This timestamp preserves the original time recorded by the device. However, this timestamp might not be credible in all cases. For example, it is possible that the time settings for the connected device are not configured correctly or the clock on the server that hosts the connected device might gain or lose time, which causes the timestamp to be out of sync with the actual time the event occurred.
Normalized Event Time (NET) represents the best known time for an event. Ideally NET is the time when the connected device reported the event occurred (the DRT) because the device is the most direct known observer of the event occurrence. However, when the DRT for an event is not within a credible time range compared to the database’s time, NET represents the time when the database received the event (the dBRT). For example, the time on a connected device was configured incorrectly such that DRT for an event is May 29 1975 when the current date in the database when the database received the event is June 29 2020. The database recognizes that the event’s May 29 1795 timestamp for DRT is outside the credible time range. Based on the discrepancy with DRT, the database sets NET to June 29 2020 (same as the dBRT).
By default, the DRT value must be within a boundary of -7 days in the past and +1 days in the future from the dBRT. To configure the boundary criteria, see the Administrator’s Guide for ArcSight Recon.
Searches for events in a time range are based on the timestamps of matching events and use the time zone of the local browser by default. You might need to account for the time zone offset from UTC and from other time zones, including Daylight Savings Time.
You can configure Search results to adjust the time for events to a specific time zone. For example, it’s possible that you might create a search while in a one time zone, then view the search from a different computer set to a different time zone. When this occurs, the Events Timeline converts the time segments to the specified time zone. If the Events table includes a time attribute, Search converts the time. However, the aggregation reflects the original time zone. For example, if the Events Timeline has seven bars in the original time zone, the number of bars could increase or decrease to reflect the currently specified time zone.