Methods of Searching
Find examples and basic search fields via ArcSight Logger - Commonly Used Event Fields
Basic Search
Analyze > Search
Enter your search terms and select the time range
Example:
applicationProtocol="DHCP" AND deviceAction="DHCPACK" AND destinationAddress = "130.64.205.133"
Advanced Search
Analyze > Search > Advanced Search
This is basically just a "Query Builder." It works exactly the same way as Basic Search. It just assists you to create a search string to input for a Basic Search.
Operators:
&& |
AND |
|| |
OR |
! |
NOT |
Saving a Search
ArcSight calls saved searches by 2 labels:
As a filter
A Filter saves the query expression, but does not save the time range or the field set information.
As a "saved search"
A saved search saves the query expression and the time range that you specified.
A filter is a subset of the saved search, and is the "wussier" version of a "saved search"
Downloading Finished Saved Searches
- Click on the Configuration Tab.
- Select the 'Saved Search' link on the left hand toolbar.
- Click on the "Saved Search Files (logger)" internal tab.
- Find your saved search and click on the name to download the CSV file.
FAQ
What does the Star icon do?
It's the "search analyzer." It examines your query to see if it is optimized (ie. will it run fast?). An optimized query will use indexed columns for searching.
How do I reduce the number of result columns I get?
Use fieldsets. You can select what you want with "Fields: ..."
As an example, try the "DMCA_1" fieldset. Or click customize... to define your own.