Create search queries and views
On the Event Logs page, you can create, edit, and save full-text custom queries to monitor log messages for specific groups or event activity, such as Active Directory logins, file integrity monitoring, antivirus, etc.
Follow this example to construct your query:
- To remove existing query data from the search field, click Clear Form.
- Use one or more of the following search parameters:
- Key words (Administrator)
- Wildcards (Admin*)
- Specific data fields (username:administrator)
- IP addresses and ranges (src_net:192.168.0.0/2)
- Any (for free-text search)
- Use a dash (-) for Does Not Contain a particular field
- Spaces are treated as implicit AND operands
- Exists: and Missing: are valid prefixes for data fields
- Select your time frame or enter a custom time range.
- To save the search and add it to your views, click Add Search Criteria to My Views.
- Enter a name for your query view.
- Select the time frame type.
- To make this your default Event Logs view, select the Is default check box.
- Select facets and fields to display specific data points in your view.
- Click Add View. The new view tab is added to the Event Logs page.
- To view the high-level query facets and associated data, click Analyze Results.
- To turn on the facet graphs, click the associated image icon
.
- To enable search within a facet, click the associated search icon
.
- To modify your query, edit the parameters in the search field, and then click Update.
- To share the query view with another user in your network, click the gear icon
.
- On the editable tab, click the Share tab icon.
- Select one or more available users, and then click Export.
- To move the tab, drag it to another position in the tab rows.
- To remove the query from your view and search history, click the delete icon.