Description Options
This pane is only displayed when you load a saved search.
Enabling unique counts on accumulated data that is shared with many other saved searches and reports migh decrease system performance.
When you load a saved search, this pane displays the following options:
• If no data is accumulating for this saved search, the following information message is displayed:
Data is not being accumulated for this search.
• If data is accumulating for this saved search, the following options are displayed:
• Columns—When you click or hover your mouse over this link, a list of the columns that are accumulating data opens.
• Enable Unique Counts/Disable Unique Counts—This link allows you to enable or disable the search results to display unique event and flow counts instead of average counts over time.
After you click the Enable Unique Counts link, a dialog box opens and indicates which saved searches and reports share the accumulated data.
• Enable Unique Counts/Disable Unique Counts—This link allows you to enable or disable the search results to display unique event counts instead of average counts over time. After you click the Enable Unique Counts link, a dialog box opens and indicates which saved searches and reports share the accumulated data.
Data Accumulation
This list displays the filters that are applied to this search. The options to add a filter are located above Current Filters list.
Current Filters
Select this check box to save and name the search results.
Save results when the search is complete
Select this list to specify a predefined column that is set to display in the search results.
Display
You can use field to filter the columns that are listed in the Available Columns list.
Type the name of the column that you want to locate or type a keyword to display a list of column names. For example, type Device to display a list of columns that include Device in the column name.
Type Column or Select from List
This list displays available columns. Columns that are currently in use for this saved search are highlighted and displayed in the Columns list.
Available Columns
Use the top set of icons to customize the Group By list.
• Add Column– Select one or more columns from the Available Columns list and click the Add Column icon.
• Remove Column– Select one or more columns from the Group By list and click the Remove Column icon.
Add and remove column icons (top set)
Use the bottom set of icon to customize the Columns list.
• Add Column—Select one or more columns from the Available Columns list and click the Add Column icon.
• Remove Column—Select one or more columns from the Columns list and click the Remove Column icon.
Add and remove column icons (bottom set)
Table 32: Search Options (continued)
Description Options
This list specifies the columns on which the saved search groups the results.
Use the following options to customize the Group By list further:
• Move Up—Select a column and move it up through the priority list using the Move Up icon.
• Move Down—Select a column and move it down through the priority list using the Move Down icon.
The priority list specifies in which order the results are grouped. The search results are grouped by the first column in the Group By list and then grouped by the next column on the list.
Group By
Specifies columns that are chosen for the search. You can select more columns from theAvailable Columnslist.
You can further customize the Columns list by using the following options:
• Move Up—Moves the selected column up the priority list.
• Move Down—Moves the selected own the priority list.
If the column type is numeric or time-based and there is an entry in the Group By list, then the column includes a list box. Use the list box to choose how you want to group the column.
If the column type is group, the column includes a list box to choose how many levels you want to include for the group.
Columns
From the first list box, select the column by which you want to sort the search results. Then, from the second list box, select the order that you want to display for the search results. Options include Descending and Ascending.
Order By
You can specify the number of rows a search returns on the Edit Search window. The Results Limit field also appears on the Results window.
• For a saved search, the limit is stored in the saved search and re-applied when loading the search.
• When sorting on a column in the search result that has row limit, sorting is done within the limited rows shown in the data grid.
• For a grouped by search with time series chart turned on, the row limit only applies to the data grid. The Top N dropdown in the time series chart still controls how many time series are drawn in the chart.
Results Limit
To search for an item that match your criteria:
1. Choose one of the following options:
• To search events, click the Log Activity tab.
• To search flows, click the Network Activity tab.
2. Click the Log Activity tab.
3. From the Search list box, select New Search.
4. To select a previously saved search:
a. Choose one of the following options: From the Available Saved Searches list, select the saved search you want to load.In the Type Saved Search or Select from List field, type the name of the search you want to load.
b. Click Load.
c. In the Edit Search pane, select the options that you want for this search. See Table 32 on page 108.
5. To create a search, in the Time Range pane, select the options for the time range you want to capture for this search.
6. Optional. In the Data Accumulation pane, enable unique counts:
a. Click Enable Unique Counts.
b. On the Warning window, read the warning message and click Continue. For more information about enabling unique counts, seeTable 32 on page 108.
7. In the Search Parameters pane, define your search criteria:
a. From the first list box, select a parameter that you want to search for. For example, Device, Source Port, or Event Name.
b. From the second list box, select the modifier that you want to use for the search.
c. In the entry field, type specific information that is related to your search parameter.
d. Click Add Filter.
e. Repeat steps a through d for each filter you want to add to the search criteria.
8. Optional. To automatically save the search results when the search is complete, select the Save results when search is complete check box, and then type a name for the saved search.
9. In the Column Definition pane, define the columns and column layout you want to use to view the results:
a. From the Display list box, select the preconfigured column that is set to associate with this search.
b. Click the arrow next to Advanced View Definition to display advanced search parameters.
c. Customize the columns to display in the search results. SeeTable 32 on page 108.
d. Optional. In the Results Limit field, type the number of rows that you want the search to return.
10.Click Filter.
The In Progress (<percent>%Complete) status is displayed in the upper right corner.
While viewing partial search results, the search engine works in the background to complete the search and refreshes the partial results to update your view.
When the search is complete, the Completed status is displayed in the upper right corner.