Documentation forSecurity Event Manager

Analyze historical data

The SEM historical data search engine locates any event data that passed through a particular SEM Manager instance. You can use the historical data search to conduct custom searches, investigate your search results and event data, and then act on your findings.

Learn how to build a search query here.

Use historical search to:

  • Search normalized event data.
  • View, explore, and search significant event activity. Historical search summarizes event activity in a selectable table or list view that you can use to easily select and investigate areas of interest.
  • See specific date and time range data using the custom time picker.
  • Conduct custom searches. You can also create complex search queries with the intuitive search builder.
  • Save and reuse custom searches.
  • Export and import queries as JSON files.
  • Schedule saved searches.
  • Export your search results to a spreadsheet file in CSV format.

Since certain searches parameters can result in huge number of matching results and thus negatively impact performance, SEM limits the number of events that are retrieved. For more on this, see Event Limits.

View historical events:

  1. Log in to the SEM Console.
  2. In the toolbar, click Historical Events.

    The unfiltered events (that is, all events on the network) for the last ten minutes display as a chart and a table.

     OptionDescription
    1Query Builder

    Helps you build queries to filter the historical results.

    See Create a search query for information about creating queries.

    2Time PickerClick to specify the time period for this query. You can use preset "quick picks" or create your own custom periods.
    3Options

    Displays options based on whether the search query is saved and scheduled.

    Save query as new: Save the new query currently being viewed with a user-supplied name. The query will then be available from the Queries list.

    Save and schedule: Save the query and open the Schedule search window so that you can run the currently viewed query at specified dates and times, and have the results emailed to selected email addresses and LDAP users or used in Scheduled Query Severity dashboard widgets.

    Edit saved query: Apply tags and thresholds to a query for use in Scheduled Query Severity dashboard widgets.

    Schedule this query: Open the Schedule search window so that you can run the currently viewed query at specified dates and times, and have the results emailed to selected email addresses and LDAP user or used in Scheduled Query Severity dashboard widgets.

    4Queries/ Refine results

    Allows you to switch between the list of saved queries and the Refine Results list. The Refine Results lists the fields available for filtering historical events by category. Drag these to the Query Builder field, or click the Add icon.

    See Create a search query for more information on using these fields and creating queries.

    5Event chart

    Displays the number of events over the specified period of time as a simple bar chart.

    Drag the cursor over a time period to zoom in on that period. Click the icon to return to the previously specified period.

    6Event DetailAllows you to select a single event in the table to display additional information in the Event Details pane.
    7Menu

    The menu options displayed depend on what is selected.

    • Click Export to save as a CSV file.
    • Click Switch to List view to display the filtered events as a list.
    • Click Switch to Table view to display the filtered events as a table.
    • Click Hide Chart to remove the chart from display.
    • Click Show Chart to display the chart.
    8EventsDisplays the total number of events meeting the query.

Maximum number of events shown

The number of loaded events is displayed in the window below.

By clicking the icon, you can view the:

  • number of loaded events
  • maximum number of loaded events
  • number of event found (loaded and not-loaded)

Since searches with a high maximum threshold can negatively impact performance, you can set the maximum number of events that are loaded. On average, every 1000 returned search results consumes approximately 100MB of RAM. This can result in up to 10GB being consumed by one search query if the threshold is set to the 100,000 maximum.

Click the information icon for more information.

To change the maximum limit, click Change limits. See Set live and historical event limits for more information.

Custom time picker

You can refine your search results with the custom time picker. You can select a quick pick, or set a specific date and time range