Working with live search

By default, the system uses a "live search" feature to help you locate information. From the event console, you can search for information by:

  • Device (name) and Component - Device name and Component searches:
    • Are case-insensitive.
    • Are tokenized on whitespace (meaning that any searches that span whitespace and do not start with a complete token will return no results).
    • If quoted, return only exact matches.
  • Summary - Summary searches:
    • Are case-insensitive.
    • Are tokenized on whitespace (meaning that any searches that span whitespace and do not start with a complete token will return no results).
  • Event class - Event class searches:
    • Are case-insensitive.
    • Are tokenized on / (slash). If the search begins with a slash, and ends with a slash or asterisk, then event classes are searched by using a "starts with" approach. If a search starts with a slash and ends with any other character, then event classes are searched by using an exact match for the event class. If a search does not begin with a slash, then event classes are searched by using a sub-string match on each event class.
  • IP Address - IP address searches (for IPv4 and IPv6 values):
    • Are tokenized by . (period) and : (colon). For example, the following searches would return a result of 129.168.1.100:
      • 168
      • 168.1
      • 129.16*
      • *29
  • Time fields
    • First Seen - This is always the time of the first occurrence of the event and does not change.
    • Last Seen - This is the most recent occurrence of the event, and is updated each time the event occurs.
    • State Change - This is the time that the event state was modified, most commonly when the event is closed.

    Entering a datetime in one of these filters formatted as YYYY-MM-DD HH:MM:SS displays events that have a timestamp that is equal to, or newer than the input datetime. Note that while the input field accepts a 24-hour format, the system displays it in 12-hour format by default (using am/pm).

    Additionally you can also configure a time range to display events by using the following format 'start datetime TO end datetime': "YYYY-MM-DD HH:MM:SS TO YYYY-MM-DD HH:MM:SS". An example might look like: "2017-07-21 12:00:00 TO 2017-07-22 12:00:00". This would include all events that the timestamp occurred within a 24 hour period between 12:00:00 on July 21st through 12:00:00 on July 22nd.

With live search enabled (the default behavior), the system filters available information immediately. It presents increasingly refined information with each character you type in the search window. When disabled, search responds only after you enter one or more characters and then press Enter.