Click Save Criteria

The Save Criteria window is displayed.

Step 4 Enter values for the parameters:

Table 3-14 Save Criteria Parameters Parameter Description

Search Name Type the unique name you want to assign to this search criteria.

If you select a time range for your search, STRM Log Manager appends your search name with the specified time range. For example, a saved search named Exploits by Source with a time range of Last 5 minutes becomes Exploits by Source - Last 5 minutes.

If you change a column set in a previously saved search, and then save the search criteria using the same name, previous

accumulations for time series charts are lost.

Assign Search to Groups

Select the check boxes for the groups you want to assign this saved search to. If you do not select a group, this saved search is assigned to the Other group by default. For more information, see Managing Event Search Groups.

Manage Groups

Click Manage Groups to manage search groups. For more information, see Managing Event Search Groups.

Timespan options:

Choose one of the following options:

• Real Time (streaming) - Select this option if you want to filter on events while in streaming mode. For more information on

streaming mode, see Viewing Streaming Events.

• Last Interval (auto refresh) - Select this option if you want to filter on events while in auto-refresh mode. The Log Activity tab refreshes at one minute intervals to display the most recent information.

• Recent - Select this option and, from the list box, select the time range you want to filter for.

• Specific Interval - Select this option and, from the calendar, select the date and time range you want to filter for.

Include in my Quick Searches

Select this check box if you want to include this search in your Quick Search list box, which is located on the Log Activity tab toolbar. For more information on the Quick Search toolbar option, see Table 3-1.

Step 5 Click OK.

Performing a Sub-Search

Each time you perform a search, STRM Log Manager searches the entire database for events that match your criteria. This process may take an extended period of time depending on the size of your database.

The sub-search feature allows you to perform searches within a set of previously completed search results. The sub-search function allows you to refine your search results without requiring you to search the database again.

This feature is not available for grouped searches, searches in progress, or in streaming mode. When defining a search that you want to use as a base for sub-searching, make sure that Real Time (streaming) option is disabled and the search is not grouped.

To perform a sub-search:

Step 1 Click the Log Activity tab.

Step 2 Perform a search. See Searching Events. The search results are displayed.

This search becomes the base search from which any sub-searches can be performed. Before you continue, make sure your search is complete.

The Current Filter pane specifies the filters on which this search is based.

Step 3 To add a filter:

a Click Add Filter.

The Add Filter window is displayed.

b From the first list box, select a parameter you want to search for.

NOTE

The Quick Filter parameter allows you to search for events that match your text string in the event payload. For more information on how to use the Quick Filter parameter, see Using Quick Filter Syntax.

Include in my Dashboard

Select this check box if you want to include the data from your saved search in your Dashboard. For more information on the Dashboard tab, see Using the Dashboard Tab.

Note: This parameter is only displayed if the search is grouped.

Set as Default Select this check box if you want to set this search as your default search when you access the Log Activity tab.

Share with Everyone

Select this check box if you want to share these search requirements with all other STRM Log Manager users.

Table 3-14 Save Criteria Parameters (continued) Parameter Description

Using the Search Feature 53

c From the second list box, select the modifier you want to use for the search.

The list of modifiers that are available depends on the attribute selected in the first list.

d In the text field, type specific information related to your search.

e Click Add Filter.

NOTE

You can right-click an event and select the Filter on option.

The sub-search results are displayed.

NOTE

If the search remains in progress, partial results are displayed.

The Original Filter pane specifies the filters applied to the base search. The Current Filter pane specifies the filters applied to the sub-search.

NOTE

You can clear sub-search filters without restarting the base search. Click the Clear Filter link next to the filter you want to clear. If you clear a filter from the Original Filter pane, the base search is relaunched.

Step 4 Click Save Criteria to save the sub-search criteria. See Saving Search Criteria. NOTE

If you delete the base search criteria, you still have access to the saved sub-search criteria. If you add a filter, the sub-search searches the entire database since the search function no longer bases the search on a previously searched data set.

Managing Search Results

You can perform multiple event searches while navigating to other tabs. You can configure the search feature to send you an e-mail notification when a search is complete. At any time while a search is in progress, you can view partial results.

NOTE

The Manage Search Results feature retains chart configurations from the

associated saved search criteria, however, if the saved search result is based on saved search criteria that has been deleted, default charts (bar and pie) are displayed.

This section includes the following information:

• Viewing Managed Search Results

• Saving Search Results

• Canceling a Search

• Deleting a Search

Viewing Managed Search Results To view search results:

Step 1 Click the Log Activity tab.