2.4 Saving a Search Query

You can save a search query, then repeat it as desired. To save a search query, you must first perform a search. When you are satisfied with the search results, you save the search query.

NOTE:You must have the necessary permission to access the specific options. For example, only users in the Report Administrator role can save the search query as a report template.

2.4.1 Saving a Search Query as a Filter

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click , then click Save as new filter.

  3. Specify a unique name for the filter and an optional description.

  4. In the drop-down list, select one of the following options to specify the access for this filter:

    • Private filter: Allows you to make this filter private. Other users cannot view or access this filter.

    • Share with everyone: Allows you to share this filter with all users.

    • Share with other users in my role: Allows you to share this filter with users who have the same role as yours.

    • Share with roles: Allows you to share this filter with users in specific roles. If you select this option, a blank field is displayed where you can specify the roles. As you type the role name, a list of roles is displayed.

      Select one or more roles.

      NOTE:This option is available only for users in the administrator role.

  5. Click Save.

    The saved filter is listed in the Filters panel. For more information on filters, see Section 3.0, Configuring Filters.

2.4.2 Saving a Search Query as a Report Template

You can save the search query as a search report or as a Jasper report.

NOTE:You must have the Manage Reports permission to save the search query as a report template.

Saving the Search Query as a Search Report

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click , then click Save as report.

  3. Specify the following information:

    Report Name: Specify a unique name for the report template.

    Report Type: Select Event List to save the report in the search report format.

  4. Specify the following information in the Default Report Result Parameters section:

    Name: Specify a unique name for the report.

    Email To: To e-mail the report template to others, specify the e-mail address. To send the report template to more than one person, specify multiple e-mail addresses separated by a comma.

    Targets: Displays the number of servers that will be searched for events. This option is useful if distributed search is enabled. To select the targets you want to search, click selected targets, then select the targets.

    Event Limits: Specify the number of results to be stored in the report template. By default, 1000 results are stored in a report template.

  5. (Optional) To generate report results immediately after you save the report results, select Run this report now using current search query.

  6. Click Save to save the report definition.

    You can see the saved report definition in the Report Viewer pane in the Sentinel Web interface. To view the reports, see Viewing the Reports.

Saving the Query as a Jasper Report

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click , then click Save as report.

  3. Specify the following information:

    Report Name: Specify a unique name for the report template.

    Report Type: Select Visualization to save the report in the search report format.

  4. Specify any of the following information in the Default Result Parameters field:

    • Name: Specify a unique name for the report.

    • Targets: Displays the number of sources that can be searched for events. This option is useful if distributed search is enabled. To select the targets that you want to search, click the selected targets link, then select the targets. This option is available only for users in the administrator role.

    • Language: Select the language in which the report labels and descriptions should be displayed.

      The default value is the language you used when you logged in. If that language is supported by the report. If the report does not support the language, the report’s default language is used.

      The data in the report is displayed in the language originally used by the event source.

    • Date Range: If the report includes time period parameters, select the date range. All time periods are based on the local time of the browser.

      • Current Day: Select this option to list events from midnight of the current day until 11:59:59 p.m of the current day. If the current time is 8:00:00 a.m, the report shows 8 hours of data.

      • Previous Day: Select this option to list events from midnight of previous day until 11:59:00 p.m of the previous day.

      • Week To Date: Select this option to list events from midnight Sunday of the current week until the end of the selected day.

      • Previous Week: Select this option to list the last seven days of events.

      • Month to Date: Select this option to list events from midnight the first day of the current month until the end of the selected day.

      • Previous Month: Select this option to list events of a month, from midnight of the first day of the previous month until 11:59:00 p.m of the last day of the previous month.

      • Custom Date Range: Select this option to list events for a specific period. If you select this option, you must also specify a start date and an end date.

    • Email Report To: To e-mail the report template to someone, specify the e-mail address. To send the report template to more than one person, specify multiple e-mail addresses separated by a comma.

    • Event Limit: Specify the number of event results to be stored in the report template. By default, 1000 results are stored in a report template.

    • Minimum Severity: Specify the minimum severity value of the events to be displayed. The default value is 0.

    • Maximum Severity: Specify the maximum severity value of the events to be displayed. The default value is 5.

    • Preview: Click Preview to view the report before saving.

  5. To save the report result along with the report template, click Run this report now using the current search query.

  6. Click Save to save the report definition.

    You can see the saved report definition in the Report Viewer pane in the Sentinel Web interface. To view the reports, see Section 11.2, Viewing the Reports.

2.4.3 Saving a Search Query as a Routing Rule

You must be in the administrator role to save the search query as a routing rule.

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click , then click Save as routing rule.

  3. Specify a name for the rule.

  4. (Conditional) To associate one or more tags to the events, click Select a tag, select the desired tags, then click Set.

  5. Select where you want to route the events to:

    • All: Events are routed to all Sentinel services, including Correlation and Security Intelligence.

    • Event store only: Events are sent directly to the event store, and are not displayed in Active Views and the search results page.

    • None (drop): Events are dropped or ignored, and are not sent to any Sentinel service.

  6. Select one or more actions to be performed on each event that meets the search criteria. Click the plus and minus icons to add and remove actions.

  7. Click Save.

2.4.4 Saving a Search Query as a Retention Policy

You must be in the administrator role to save the search query as a retention policy.

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click , then click Save as retention policy.

  3. Specify a name for the retention policy.

  4. In the Keep at least field, specify the minimum number of days to retain the events in the system. The value must be a valid positive integer.

  5. (Optional) In the Keep at most field, specify the maximum number of days for which the events should be retained in the system.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value. If no value is specified, the system retains the events in the system until the space is available in local storage.

  6. Click Save.

    The newly created policy is displayed in the data retention table. For more information on retention policies, see Configuring Data Retention Policies in the NetIQ Sentinel 7.0.1 Administration Guide.

2.4.5 Creating a Dashboard

You must have the Manage and View Security Intelligence Dashboards permission to create a dashboard.

  1. Perform a search, and refine the search results as desired.

    For more information, see Section 2.1, Running an Event Search and Section 2.3, Refining Search Results.

  2. When you are satisfied with the search results, click , then click Create dashboard from filter.

  3. Specify the following information to create the dashboard:

    • Name: Specify a unique name for the dashboard.

    • Classifier: Select the classifier that determines the categories displayed in the dashboard. Click the Info link for information on each category.

    • Data Retention Period: Select how long the data for the dashboard is retained.

  4. Click Create dashboard to create the dashboard.

The dashboard is displayed in a new browser tab. A new dashboard is empty because it has not had time to collect any data. For more information on dashboards, see Section 5.0, Analyzing Trends in Data.