EventTracker Log Search is Google like search facility available for quick search of events. It supports simple string search to parameterized search.
Searching can be done based on following Tags i.e. Log Type, Event Type, Category, Event ID, Source, Domain, System, User. Searching can be done in two methods
· Basic Search
· Advanced Search
The user can also perform a search using the Elastic search.
For basic search, select from the saved searches available or enter a lucene query to perform a basic search. The left pane will list the trending items (if any).
1. Select any of the items (e.g.: User: network service) for performing basic search from the Trending today pane.
2. For, performing a search on the logs processed on the current day, click the logs processed today hyperlink to view all logs processed since 12:00 A.M till current time.
From Elastic
From Cache
Note: To understand the usage of the new system selection interface introduced in feature update 9.3.3 as part of update ET93U20-031, please refer to New-System-Selection-Interface-User-Guide.
Here the search result is performed using the Elastic Search. The user can write a lucene query for searching or can select from the fields available in the “Search In” box.
For example if the user wants to search for event source and event id and filter event computer. They can either write a lucene query such as: “event_source:(*EVENTTRACKER*) AND event_id:(3240 || 2040 || 2037) AND NOT event_computer:(*-DLA) ” to perform a search.
The user can choose the duration and can also select from the system tree in the left pane.
Click on Search.
OR, they can even select from the dropdown option in the Search In field. Select the Add Search criteria icon
. Select from the available option and create the search criteria.
It will display the total count in a graph format in the top pane and the search results displaying with the interesting fields in the bottom pane.
Top pane
When log volume is more and the data is not indexed in the selected duration, the 3 tabs in search helps to show the entire data without any miss.
For example: Suppose the elastic purge is set to 7 days and if user try to do elastic search for last 2 weeks data, then 1 week data will be shown Elastic tab, the mdb’s which are available in cache folder and are not indexed cabs data will be shown in the Cache tab and second week cabs data will be shown in Archives tab.
|
Click |
To |
|
|
Search |
|
|
Clear Search |
|
|
Save the search results |
|
|
Export the results |
|
|
Refine on Time duration |
|
|
Go back to Advanced search |
Bottom pane
To add the interesting fields and get the results based on it, click the 
icon for the respective field.
To get detail related to a search entity, click the expand icon.
To add the search results to Dashboard or casebook, click the “Add search to” option.
a. Select the Dashboard option, and configure a dashlet for the same. An example is shown below:
b. Select the Casebook option, and add the result o new or existing casebook.
The user can also view the search results from the cache.
To do this, navigate to the CACHE tab and view the results.
For advanced search from the cache, check the “Search in Archives” option.
Add Search criteria and Save Search criteria are some features that have been added and are explained below.
In Advanced Log search, you can search using regular expression.
1. Select Add search criteria 
icon.
2. In Search in drop down menu, select EventID.
3. Select Operator drop down.
4. Enter search criteria in Search for box. ( for e.g. : 3221)
5. Click Help 
icon for additional information.
6. Select the Search button.
The standard properties will list in the left pane and the search result in the right. Expand the interested entity and view the details.
The user can further include or exclude the standard properties and perform a pivoting based on the search criteria.
Every Knowledge Object that is defined has finite Smart Tokens. From a visualization and analytical perspective, only a few or specific Smart Tokens will be important, which needs to be searched. The Smart Token feature will make the searching process hassle-free and will also help in performing a filtered search to get the detailed information on a specific token, when required.
The Smart Token option remains disabled by default. The user needs to enable the option to continue with the search.
How to Perform a Search on Smart Tokens?
To perform a filtered search on Smart Tokens from the Knowledge Objects available, you need to follow the below mentioned steps:
Step 1: Click the search icon 
from the EventTracker menu. The Log Search dialog box is displayed.
Step 2: Select the checkbox “Search in archives”. The smart token option is now visible.
Step 3: Enable the option “Smart Token” by clicking the check box.
Step 4: Perform a search. The search result gets displayed with all the interesting fields listed in the left pane.
Step 5: The interesting fields includes the different values and these fields can be further included or excluded in the search criteria.
Pivoting can be done based on the interesting fields available in the left pane, which can be included 
or excluded 
depending on the search criteria.
In Advanced Log search, you can search using regular expression.
1. Select Add search criteria icon.
2. In Search in drop down menu, select RegEx.
3. Select Operator drop down.
4. Enter search criteria in Search for box.
5. Click Help icon for additional information.
6. Select the Search button.
The search criteria can also be saved for viewing later.
· Click the 
icon for saving the filtered token criteria.
· Give a title and click the -<Save>- button.
The search result will be saved.
· For viewing the saved search results, click on -<Advanced Search>- .In the Advanced Log Search window, click on the “Saved searches” option.
How to edit a Saved search?
For editing the saved search criteria, click the Saved search hyperlink. The saved result will be displayed.
· Click on the 
icon and start editing the saved searches.
· After editing and performing the search, the new search result can also be saved with a new title for viewing later.
How to Add Knowledge Objects?
For adding Knowledge objects and viewing a search result based on that, the below mentioned steps should be followed:
Step 1: Open the Advanced Log Search window.
Step 2: Click the icon 
to add knowledge object.
Step 3: Click ‘Search’.
The search page will be displayed and then you can further proceed in the same way for performing log search.
NOTE:
· It should also be noted that Windows Standard Token is a default token offered by EventTracker in log search, which cannot be edited and saved.
