Working with Live Search

By default, the system uses a "live search" feature to help you locate information. From the event console, you can search for information by:

  • Device (name) and Component - Device name and Component searches:
    • Are case-insensitive.
    • Are tokenized on whitespace (meaning that any searches that span whitespace and do not start with a complete token will return no results).
    • If quoted, return only exact matches.
  • Summary - Summary searches:
    • Are case-insensitive.
    • Are tokenized on whitespace (meaning that any searches that span whitespace and do not start with a complete token will return no results).
  • Event class - Event class searches:
    • Are case-insensitive.
    • Are tokenized on / (slash). If the search begins with a slash, and ends with a slash or asterisk, then event classes are searched by using a "starts with" approach. If a search starts with a slash and ends with any other character, then event classes are searched by using an exact match for the event class. If a search does not begin with a slash, then event classes are searched by using a sub-string match on each event class.
  • IP Address - IP address searches (for IPv4 and IPv6 values):
    • Are tokenized by . (period) and : (colon). For example, the following searches would return a result of 129.168.1.100:
      • 168
      • 168.1
      • 129.16*
      • *29
  • First Seen, Last Seen, State Change - This field is not tokenized; date searches are converted to numeric representations, and then ranges using these representations are created. Search values are inclusive. Searches on date fields will search from the value entered. Any results that match the value or any value in the future are returned. The following searches would return the First Seen time of 2017-05-04 15:52:52:
    • First Seen: 2017-05-01 00:00:00
    • First Seen: 2017-05-04 15:52:52

With live search enabled (the default behavior), the system filters available information immediately. It presents increasingly refined information with each character you type in the search window. When disabled, search responds only after you enter one or more characters and then press Enter.