Creating a customized search

You can search for data that match your criteria by using more specific search options. For example, you can specify columns for your search, which you can group and reorder to more efficiently browse your search results.

About this task

The duration of your search varies depending on the size of your database.

You can add new search options to filter through search results to find a specific event or flow that you are looking for.

The following table describes the search options that you can use to search event and flow data:

Table 1. Search options
Options	Description
Group	Select an event search group or flow search group to view in the Available Saved Searches list.
Type Saved Search or Select from List	Type the name of a saved search or a keyword to filter the Available Saved Searches list.
Available Saved Searches	This list displays all available searches, unless you use Group or Type Saved Search or Select from List options to apply a filter to the list. You can select a saved search on this list to display or edit.
Search	The Search icon is available in multiple panes on the search page. You can click Search when you are finished configuring the search and want to view the results.
Include in my Quick Searches	Select this check box to include this search in your Quick Search menu.
Include in my Dashboard	Select this check box to include the data from your saved search on the Dashboard tab. For more information about the Dashboard tab, see Dashboard management. Note: This parameter is only displayed if the search is grouped.
Set as Default	Select this check box to set this search as your default search.
Share with Everyone	Select this check box to share this search with all other users. Restriction: You must have the Admin security profile to share search requirements.
Real Time (streaming)	Displays results in streaming mode. Note: When Real Time (streaming) is enabled, you are unable to group your search results. If you select any grouping option in the Column Definition pane, an error message opens.
Last Interval (auto refresh)	The Log Activity and Network Activity tabs are refreshed at one-minute intervals to display the most recent information.
Recent	After you select this option, you must select a time range option from the list. Note: The results from the last minute might not be available. Select the <`Specific Interval`> option if you want to see all results.
Specific Interval	After you select this option, you must select the date and time range from the Start Time and End Time calendars.
Data Accumulation	Displayed when you load a saved search. If no data is accumulating for this saved search, the following information message is displayed: `Data is not being accumulated for this search`. If data is accumulating for this saved search, the following options are displayed: When you click or hover your mouse over the column link, a list of the columns that are accumulating data opens. Use the Enable Unique Counts/Disable Unique Counts link to display unique event and flow counts instead of average counts over time. After you click the Enable Unique Counts link, a dialog box opens and indicates which saved searches and reports share the accumulated data.
Current® Filters	Displays the filters that are applied to this search.
Save results when the search is complete	Saves the search results.
Display	Species a predefined column that is set to display in the search results.
Name	The name of your custom column layout.
Save Column Layout	Saves a custom column layout that you modified.
Delete Column Layout	Deletes a saved custom column layout.
Type Column or Select from List	Filter the columns that are listed in the Available Columns list. For example, type `Device` to display a list of columns that include Device in the column name.
Available Columns	Columns that are currently in use for this saved search are highlighted and displayed in the Columns list.
Add and remove column arrows (top set)	Use the top set of arrows to customize the Group By list. To add a column, select one or more columns from the Available Columns list and click the right arrow. To remove a column, select one or more columns from the Group By list and click the left arrow.
Add and remove column arrows (bottom set)	Use the bottom set of arrows to customize the Columns list. To add a column, select one or more columns from the Available Columns list and click the right arrow. To remove a column, select one or more columns from the Columns list and click the left arrow.
Group By	Specifies the columns on which the saved search groups the results. To move a column up the priority list, select a column and click the up arrow. You can also drag the column up the list. To move a column down the priority list, select a column and click the down arrow. You can also drag the column down the list. The priority list specifies in which order the results are grouped. The search results are grouped by the first column in the Group By list and then grouped by the next column on the list. Note: The search may not return the correct results if you include domains in the Group By list.
Columns	Specifies columns that are chosen for the search. You can select more columns from the Available Columns list. You can further customize the Columns list by using the following options: To move a column up the priority list, select a column and click the up arrow. You can also drag the column up the list. To move a column down the priority list, select a column and click the down arrow. You can also drag the column down the list. If the column type is numeric or time-based and an entry is in the Group By list, then the column includes a list. Use the list to choose how you want to group the column. If the column type is group, the column includes a list to choose how many levels that you want to include for the group.
Move columns between the Group By list and the Columns list	Move columns between the Group By list and the Columns list by selecting a column in one list and dragging it to the other.
Order By	From the first list, select the column by which you want to sort the search results. Then, from the second list, select the order that you want to display for the search results.
Results Limit	Specifies the number of rows that a search returns on the Edit Search window. The Results Limit field also appears on the Results window. For a saved search, the limit is stored in the saved search and re-applied when search is loaded. When you are sorting a column in the search result that has a row limit, sorting is done within the limited rows, which are shown in the data grid. For a grouped by search where time series chart is turned on, the row limit applies only to the data grid. The Top N list in the time series chart controls how many time series are drawn in the chart.

Procedure

Choose a search option:
- To search events, click the Log Activity tab.
- To search flows, click the Network Activity tab.
From the Search list, select New Search.
Select a previously saved search.
To create a search, in the Time Range pane, select the options for the time range that you want to capture for this search.

Note: The time range that you select might impact performance, when the time range is large.
Enable unique counts in the Data Accumulation pane.

Note: Enabling unique counts on accumulated data, which is shared with many other saved searches and reports might decrease system performance.
In the Search Parameters pane, define your search criteria.
1. From the first list, select a parameter that you want to search for.
2. From the second list, select the modifier that you want to use for the search.
  
  Note:
  To search for an event or flow whose custom property does not have a value, use the "is N/A" operator. To search for an event or flow whose custom property has a value, use the "is not N/A" operator.
3. From the entry field, type specific information that is related to your search parameter.
4. Click Add Filter.
5. Repeat these steps for each filter that you are adding to the search criteria.
To automatically save the search results when the search is complete, select the Save results when search is complete check box, and then type a name for the saved search.
In the Column Definition pane, define the columns and column layout that you want to use to view the results:
1. From the Display list, select the preconfigured column that is set to associate with this search.
2. Click the arrow next to Advanced View Definition to display advanced search parameters.
3. Customize the columns to display in the search results.
4. In the Results Limit field, type the number of rows that you want the search to return.
Tip: If you configure a log source that belongs to multiple log source groups but has only one event that matches your search criteria, the search generates results for each log source group (including the parent group) that the event belongs to. This is expected behavior.
Click Filter.