21.1 Configure Search Preferences

Available only when ArcSight Recon is deployed in your environment

To reduce the time required to create and manage searches, configure Search to use your preferred settings. You can always override your preferences as needed when you create a search. When you modify your Search preferences, the changes apply to new searches. Existing searches are not affected unless you re-run the search.

Default Fieldset

Specifies the fieldset that you regularly use for a search. The default value is Base Event Fields.

Default View

Specifies whether you want the Events Table to display results in the Grid View or Raw View. The default value is Grid View.

Time Zone

Instructs Search to adjust the timestamp for events to the chosen time zone.

  • Browser

  • Database

  • Custom

To specify the type of timestamp that you want to use, modify the preference for Base Searches On.

Date / Time Format

Specifies the format of dates and times that you want Search to use. The default is YYYY/MM/DD.

For example, you might want to use the same format that you have already configured for your browser. Alternatively, you might prefer a format like MM/DD/YYYY HH:MM:SS.

Default Time Setting

Specifies the time range within which you want Search to find events. The default is Last 30 minutes.

  • Dynamic

    If you prefer to use a dynamic time range, you must also specify the Start and End times. For example, specify $Now - 30m and $Now respectively.

  • Static

    If you use different time settings for each search that you create, you might want to select this option for your preference. The default is the preset value of Last 30 minutes.

  • Preset

    If you prefer to use a preset time range, you must also specify a preset value. For example, Last 24 hours.

Base Searches On

Specifies the timestamp associated with the events that you want to find:

  • Normalized Event Time

  • Device Receipt Time

  • Database Receipt Time

Search Expires In

Specifies how often you want searches to expire, and thus be removed from the system. This option enables you to reduce the amount of search results held in the database, and thus enabling Search performance. The database purges expired searches at midnight. The default is 30 days, with a maximum of 365 days.

Alternatively, you can choose to never remove a search. Also, the expiration date resets whenever you access the search. Resetting the date includes resuming or re-rujning the search, as well as saving the search.

Maximum Search Results

Specifies the maximum number of events that the Search will return. You can specify a value between 1 and 10 million. The default is 3,000,000, unless otherwise specified in the CDF Management Portal. This option cannot override the limit specified in the Management Portal.

Search considers a search complete when the results reach the maximum limit.

Highlight Query Syntax

Specifies whether you want Search to use color to differentiate the syntax terms from the operators and functions within the query.

For example, in the figure below, Search displays the variable Source Address in blue, the value 11.0.* in red, and the operator in subnet in white.

Figure 21-1 Example of Highlighted Query Syntax