Documentation forSecurity Event Manager

Analyze historical data in SEM

The SEM historical data search engine can locate any event data that has passed through a particular SEM Manager instance. You can use the historical data search to conduct custom searches, investigate your search results and event data, and then act on your findings.

Learn how to build a search query here.

Use historical search to do the following:

  • Search normalized event data.
  • View, explore, and search significant event activity. Historical search summarizes event activity in a selectable table or list view that you can use to easily select and investigate areas of interest.
  • See specific date and time range data using the custom time picker.
  • Conduct custom searches. You can also create complex search queries with the intuitive search builder.
  • Save and reuse custom searches.
  • Export and import queries as JSON files.
  • Schedule saved searches.
  • Export your search results to a spreadsheet file in CSV format.

Since certain searches parameters can result in huge number of matching results and thus negatively impact performance, SEM limits the number of events that are retrieved. For more on this, see Event Limits.

To view historical events:

  1. From the SEM console, click Historical Events.

    When you first open Historical Events it shows unfiltered events (that is, all events on the network) for the last ten minutes as a chart and a table.

    1Query BuilderThis is where you build queries to filter the historical results. For information on creating queries, see Create a search query.
    2Time PickerClick to specify the time period for this query. You can either use preset "quick picks" or create your own custom periods.
    3Options

    The options displayed when you click this depend on whether the search query has already been saved and scheduled.

    Save query as new: Save the new query currently being viewed with a user-supplied name. The query will then be available from the Queries list.

    Save and schedule: Save the query and open the Schedule search window so that you can run the currently viewed query at specified dates and times, and have the results emailed to selected email addresses and LDAP users or used in Scheduled Query Severity dashboard widgets.

    Edit saved query: Apply tags and thresholds to a query for use in Scheduled Query Severity dashboard widgets.

    Schedule this query: Open the Schedule search window so that you can run the currently viewed query at specified dates and times, and have the results emailed to selected email addresses and LDAP user or used in Scheduled Query Severity dashboard widgets.

    4Queries/ Refine resultsSwitch between the list of saved queries and the Refine Results. The Refine Results lists the fields available for filtering historical events by category. Drag these to the Query Builder field, or click the Add icon. For more information on using these fields and creating queries, see Create a search query.
    5Event chartThe number of events over the specified period of time are displayed as a simple bar chart. Drag the cursor over a time period to zoom in on that period; click on the icon when then appears in the top right of the chart to return to the previously specified period.
    6Event DetailSelect a single event in the table to display additional information in the Event Details pane.
    7Menu

    The menu options displayed depend on what is selected.

    • Click Export to save as a CSV file.
    • Click Switch to List view to display the filtered events as a list.
    • Click Switch to Table view to display the filtered events as a table.
    • Click Hide Chart to remove the chart from display.
    • Click Show Chart to display the chart.
    8EventsShows the total number of events meeting the query.

Maximum number of events shown

The number of loaded events is displayed here.

By clicking the icon you can see:

  • the number of loaded events
  • the maximum number of loaded events
  • the number of event found (loaded and not-loaded)

Since searches with a high maximum threshold can negatively impact performance, you can set the maximum number of events that are loaded. On average, every 1000 returned search results consumes approximately 100MB of RAM. This can result in up to 10GB being consumed by one search query if the threshold is set to the 100,000 maximum.

  1. Click the information icon for more information.

  2. To change the maximum limit, click Change limits and see Set search and filter thresholds.

The custom time picker

  1. Refine your search results with the custom time picker.

    You can select a quick pick, or set a specific date and time range.