Each completed search has a unique Search Results ID, which represents a link to the temporary table containing the search results. You can copy that ID, then build a report or dashboard around the search results.
You can build a report around results of a previously run search by leveraging the Search Results ID.
When viewing an Events table, select the Copy icon in the table’s header.
This icon contains the Search Results ID.
Select Reports > Report Designer.
Select Create > Report.
In the Select a data source field, paste the Search Results ID that you copied.
The retention period of the temporary table in the database is 30 days.
(Optional) Convert the fields in the temporary table to human-readable values.
Continue creating the report.
You can build a dashboard around results of a previously run search by leveraging the Search Results ID.
When viewing an Events table, select the Copy icon in the table’s header.
This icon contains the Search Results ID.
Select Reports > Dashboard Designer.
Select Create > New Dashboard.
From the visual composer, select Data Source > Database > TABLE > Default_secops_recon.
Select the ID of the search that you previously copied.
The retention period of the temporary table in the database is 30 days.
Select Open wizard or OK.
(Optional) Convert the fields in the temporary table to human-readable values.
Continue creating the dashboard where the Search Results ID is the data source.
The ArcSight Database uses a temporary table to store content associated with a Search Results ID. Because the names of the fields in the table represent the coding-style name, you might want convert the terms to more user-friendly values.
To change the field names, your report or dashboard must use a Data Worksheet.
Select Reports > Dashboard Designer.
Open the dashboard or report that you want to modify.
From the upper-right corner, select the Data icon.
Open the worksheet.
In the lower pane, select the Formula Editor icon.
The tool-tip for this icon says “Create Expression.”
Select SQL.
In the Expression pane of the Formula Editor, add the following strings:
Time: to_timestamp(field['normalizedEventTime']/1000) IP: v6_ntoa(field['sourceAddressBin']) MAC: mac_btoa(field['sourceMacAddressBin'])
Select OK.
In the lower pane of the worksheet, select the Change Data Mode icon.
Select Live Event data.
Hide the binary (original) fields.
Export or Save the dashboard or report as needed.