14.2 Managing Active Searches

  1. Log in to the Sentinel Web interface as a user in the administrator role.

    https://<IP_Address/DNS_Sentinel_server:8443>

    The IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

  2. Click Search Setup in the toolbar, then click Active Search Jobs.

    The Active Search Jobs page refreshes every 30 seconds.

    You can view the following search details. Mouse over each field for information on what the field indicates:

    • Duration: The time spent to search events in the event store.

    • Status: Whether a search job is pending, running, finished, finished with errors, or canceled.

    • Owner: The user who initiated the search. For search jobs initiated by the system, the owner is indicated as “System.”

    • Type: Indicates the following:

      • System: Search jobs that are run for maintenance purposes. For example, to clean up invalid references to events from the database.

      • User: Search jobs started by users either through the Search interface or through the REST API.

      • Reports: Search jobs started by users, but used for getting event results for reports.

      • Data sync: Search jobs started to support the Data Synchronization feature.

      • Distributed: Search jobs initiated by a remote server (distributed search.)

    • Start: The time the search started searching for events.

    • Accessed: The time elapsed since the search was initiated.

    • More: Provides detailed information such as the IP address of the machine that initiated the search, events processed, search criteria, and so forth.

  3. (Conditional) To stop any active search jobs, select the search jobs you want to stop, then click Kill selected.