You can search for events indexed in scalable storage. By default the search is performed for the last 1 hour. You can change the time range in the Event Visualization interface where the search results are displayed.
To search for events indexed in scalable storage:
Log in to the Sentinel Scalable Data Manager (SSDM) web console:
https://<IP_Address or DNS_SSDM_server:port_number>
IP_Address or DNS_SSDM_server is the IP address or the DNS name of the SSDM server and port_number is the default port of the SSDM server.
You can specify the search criteria by performing any of the following:
Specify the search criteria in the Criteria field.
For information about the syntax for search criteria, see Section A.0, Search Query Syntax.
Click Build criteria to build the criteria using an interactive user interface.
Click Select and Append criteria to reuse an existing criteria from Tags and Filters.
Click Search.
SSDM displays the search results in a new tab. You can further refine the search results based on the desired event fields, time range, and so on. For information about refining the search results, see Discover in Kibana documentation.
NOTE:If the network latency between SSDM and Elasticsearch nodes is high, the event visualization interface may not launch due to a time-out error. To avoid this issue, increase the time-out period in Kibana. For more information, see Event Visualization Interface May Not Launch Due to Time-Out Error in the Troubleshooting section of the Sentinel Administration Guide.
You can save your search queries for future use so that you can perform a search using the saved query rather than specifying the query manually every time. You can save the search query either as a search in the Event Visualization interface or as a filter in the SSDM home page.
When you save your search query as a search in the Event Visualization interface, it automatically creates a corresponding filter in SSDM and the filter is private to the user that creates the search. Similarly, when you save your search query as a filter in SSDM, it automatically creates a corresponding search object in the Event Visualization interface. These searches are always public. Therefore, the searches are visible to all users regardless of the Sharing type you apply when creating a filter.
Search objects that already exist in the Elasticsearch cluster before it’s configured with SSDM are not listed under Filters by default. You must manually save the pre-existing search objects as filters, if required.
To save the search query:
In the SSDM home page, specify the search criteria in the Criteria field and click Search.
Sentinel displays the search results in the new Event Visualization interface.
(Conditional) To save the search query as a search object, click the Save search icon, specify a unique name for the search, and then click Save.
If you specify a duplicate name, you can still save the search but it will not create a corresponding filter in SSDM for this search.
(Conditional) To save the search query as a filter in SSDM, go to the SSDM home page, and click Save as filter.
Specify a unique name for the filter and an optional description.
In the Sharing drop-down list, select one of the following options to specify the access for this filter:
Private: Allows you to make this filter private. Other users cannot view or access this filter.
Public: Allows you to share this filter with all users.
Users in same role: Allows you to share this filter with users who have the same role as yours.
Users in selected roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.
Select one or more roles.
NOTE:This option is available only for users in the administrator role.
Click Save.
When you edit or delete a search in the Event Visualization interface, the changes are applied to the corresponding filter in SSDM as well. Similarly, when you edit or delete a filter in SSDM, the changes are applied to the corresponding search in the Event Visualization interface as well.
You can edit and delete only the filters that you created. The default filters and the filters that other users have shared with you cannot be edited or deleted. For information about managing searches, see Managing Saved Searches, Visualizations, and Dashboards in Kibana documentation.