5.1 Running an Event Search

Users can run simple or advanced searches.

5.1.1 Running a Basic Search

A basic search runs against all of the event fields listed in Table C-1. Few basic searches include the following event values:

  • root

  • 127.0.0.1

  • Lock*

  • driverset0

NOTE:If time is not synchronized across your server, client, and event sources, you might get unexpected results from your search. Searches for the time durations such as Custom, Last 1 hour, and Last 24 hours display results based on the timezone of the machine on which the search is performed.

To run a basic search:

  1. Type the Search criteria in the Search field and click the Search button on the upper right corner of the page.

    Sentinel Log Manager is configured to run a default search for non-system events with severity 3 to 5 when a user clicks the Search button for the first time. Otherwise, it reuses the last search term the user entered.

    To know more about the case-sensitive fields and tokenized (not case-sensitive) fields, see Section C.0, Event Fields.

  2. For using a different search criteria, type the search term in the Search field (for example, admin).

    To retrieve all the log events from all the sources, select Include System Events to include events that are generated by Sentinel Log Manager system operations, and run the search for the sev:[0 TO 5] as shown in the following image:

  3. Select a time period for the search. Most of the time settings are self-explanatory, and the default is Last 30 Days.

    • Custom allows you to select a start date and time and an end date and time for the query. The start date should be lower than the end date, and the time is based on the machine’s local time.

    • Whenever searches both online and archive data in the data directory.

  4. Click Search.

    All fields in the index are searched for the specified text. A spinning icon indicates that the search is taking place.

    The event summary displays the search results on the search dashboard pane.

5.1.2 Running an Advanced Search

An advanced search can search for a value in a specific event field or fields. The advanced search criteria are based on the short names for each event field and the search logic for the index. To know about the field names, their descriptions, the short names that are used in advanced searches, and to know whether the fields are visible in the basic and detailed event views, see Table C-1, Event Fields.

NOTE:To perform a search, click the search tips link to use the tag names defined in the table.

To search for a value in a specific field, use the short name of the field, a colon, and the value. For example, to search for an authentication attempt to Sentinel Log Manager by user2, use the following text in the search field:

evt:authentication AND sun:user2

Other advanced searches could include the product name, severity, source IP, and the event type. For example:

  • pn:NMAS AND sev:5 (This search is for events with the product name NMAS and severity five.)

  • sip:123.45.67.89 AND evt:“Set Password” (This search is for the source IP of 123.45.67.89 and an event of 'Set Password'.)

Multiple advanced search criteria can be combined by using the following bit operators:

  • AND (should be capitalized)

  • OR (should be capitalized)

  • NOT (should be capitalized and cannot be used as the only search criterion)

  • +

  • -

The following special characters should be escaped by using a \ symbol:

+ - && || ! ( ) { } [ ] ^ " ~ * ? : \

The advanced search criteria are modeled on the search criteria for the Apache* Lucene* open source package. More details about the search criteria is available at Lucene Query Parser Syntax.

5.1.3 Search Expression History

Sentinel Log Manager allows you to select a search expression value from the recently used search expressions list, while performing a search. When you click or enter a value in the Search text box, recently used search expressions values appear. You can select one of the search expression values to re-execute the same search.

  • When you enter a text value in the Search text box, the closely matched search expressions values appear in the recently used search expression list.

    The search expression history list displays a maximum of 15 expressions values.

  • When the text is not entered in the Search text box, the search expression list displays the recently used search expressions. The most recent search expression value appears at the top of the list.

  • For each user, a maximum of 250 search expressions values are stored. Once the number of search expressions exceeds the 250 value, the oldest ones are deleted from the list.

The following image displays the recently used search expressions list:

Figure 5-1 Displays the Search Expression History list