Use this basic procedure whenever you need to configure a search with Search Builder. The number of possibilities are endless. They they all follow this basic procedure.
Feel free to experiment with these tools. Searches report information, so there is no harm done if you create searches that are unusual or have logic problems. With a little practice, you will be able to configure complex searches that report exactly the data you want.
To configure a search with Search Builder: 1. Open Search Builder.
2. In the list pane, locate the item you want to search for.
3. Do one of the following:
l Drag the item from the list pane into the Conditions box. l Double-click the item to add it to the Conditions box.
Note: By default, the Conditions box includes a "this item exists" condition. To use it, type or paste the search string you want to search for into the text box. Or you can replace this condition by dragging an item from the list pane on top of it.
4. If the list item contains a variable field (such as a field for an IP address, a constant value, or an empty text box), type the specific value you want to search for.
Note: Search Builder will show you if a particular configuration is invalid. If a condition field is yellow (left), it means the search's current configuration is invalid. If a condition field is red (right), it means the condition does not apply to the type of data you are currently searching. For example, perhaps you are trying to search log messages with conditions that are meant for event data.
A yellow condition field means the search configuration is invalid.
A red condition means the search configuration does not apply to the type of data you are searching.
5. Click to create new groups, as needed.
6. Repeat Steps 2 and 3, dragging new items into the appropriate group boxes, as needed.
7. Select the appropriate AND and OR operators for each group to configure the search to your needs.
search.
You can click at any time to stop a search that is in progress.
After a few moments, nDepth returns the search results. To see the search results, do one of the following:
l Select an option from the nDepth explorer toolbar to view a graphical
version of the search results.
l Open the Refine Fields list to see a categorized summary of the
search data.
l Open the Result Details view to examine and explore the actual data.
Utilities
The following table describes the key features of the Explore >Utilities view.
Name Description
History pane The History pane displays a record of your explorer viewing history. Selecting an item in the history list displays the corresponding explorer event in the Explorer pane. Click the History button to alternately show and hide the History pane. When needed, you can delete individual history items from the history list. The Reset button lets you remove all items from the history list..
Utilities pane The Utilities pane shows the explorers that are currently open. You can have multiple explorers open at the same time.
Cascade button
This button arranges the open explorer windows so they appear in an organized “cascade.” Their title bars are all visible, but the windows are all stacked, one on top of another. The active explorer is at the front of the stack.
Respond menu
This menu lets you take action to respond to the event or event field that is the subject of the active explorer. You can also use the Respond menu to take action even when no explorer windows are open or active.
This menu behaves exactly as it does in the Monitor view’s Utilities
Name Description event grid.
Explore menu This menu contains options to open the other explorers. You can use it to further explore the event message or event field that is the subject of the active explorer. Or you can open a blank explorer to manually enter the item you want to explore. Explorer
windows
The explorers you are working with appear as individual windows within the Utilities pane. You can minimize, resize, and close each explorer window, as needed.
Minimized explorers
Any explorers that you have minimized appear at the bottom of the Utilities pane as a title bar. Click a title bar to reopen that explorer.
◄>buttons Beginning from the active explorer window, you can use these buttons to cycle through the other open explorer windows. Click ◄ to go to the previous window. Click >to go to the next
window.
Explorer Types
The Console contains the following explorers.
Explorer Description
Event The Event explorer, which can only be opened from the Monitor view, allows you to view all of the events that are related to the event that is currently selected in the Console. The Event explorer
displays both sequential and concurrent events. That is, you can view the events that occurred before, during, and after the event occurred. You can also monitor events in real time, to see where they came from and where they are going. Use this explorer when you need to know what caused the rule to fire.
Whois The Whois explorer identifies the source of an IP address or domain name based on how it is registered with domain and network
authorities. It can tell you where something is located physically in the world, and who actually owns the device you're searching for. For example, use this explorer if you need to know who owns a
Explorer Description
domain that corresponds to the IP that caused that rule to fire. NSLookup The NSLookup explorer resolves IP addresses to host names, and
host names to IP addresses. Use this explorer to determine more information about a source or destination IP address. For example, use this explorer when you need to know a name that corresponds to that IP address that caused the rule to fire (it resolves a name like “SolarWinds.com” to an IP address).
Traceroute The Traceroute explorer traces the network links from your host computer to the destination you specify. That is, it shows you the “hops” between your computer and the IP address of the destination. For example, use this explorer to determine the network connections between yourself and an IP that caused the rule to fire.
Flow explorer
The Flow explorer lets you perform flow analysis to determine which IP addresses or ports are generating or receiving the most network traffic. You can also analyze the volume of data (in bytes or packets) that is transferring to or from a given IP address or port number on your network. The explorer reports this information in easy-to-read graphs and tables.
For example, if you see a strange IP address at the top of the Flow explorer’s activity list, you can select the desired bar on the graph or a row in the table, and then choose the Whois explorer from the Explore menu to find out what that the IP address is and why it is transmitting so much data.
nDepth nDepth is a powerful search engine that lets you search all of the event data or the original log messages that pass through a par- ticular Manager. The log data is stored in real time, as it originally occurs from each host (network device) and source (application or tool) that is monitored by the Manager.
Both Explore views have a Respond menu and an Explore menu that you can use with any of the explorers:
l The Respond menu lets you take corrective action on an event or other
information presented in an explorer, such as shutting down a workstation when you see a problem reported in the Console.
l The Explore menu lets you explore use any of the other explorers to
investigate a particular event, event detail, nDepth search result, or other explorer finding.