Table of Contents
Advertisement
To search for a value in a specific field, use the short name of the field, a colon, and the value. For
example, to search for an authentication attempt to Identity Audit by user2, use the following text in
the search field:
evt:authentication AND sun:user2
Other advanced searches might include:
pn:NMAS AND sev:5
sip:123.45.67.89 AND evt:"Set Password"
Advanced Search Example
Figure 6-2
Multiple advanced search criteria can be combined by using the following bits operators:
AND (must be capitalized)
OR (must be capitalized)
NOT (must be capitalized and cannot be used as the only search criterion)
+
-
Special characters must be escaped by using a \ symbol:
+ - && || ! ( ) { } [ ] ^ " ~ * ? : \
The advanced search criteria are modeled on the search criteria for the Apache Lucene* open source
package. More detail about the search criteria is available on the Web:
(http://lucene.apache.org/java/2_3_2/queryparsersyntax.html).
6.2 Viewing Search Results
Searches return a set of events. Users can view basic or detailed event information and configure the
number of results per page. Search results are returned in batches. The default batch size is 25
results, but this is easily configured.
When results are sorted by relevance, only the top 100,000 events can be viewed. When they are
sorted by time, this limitation does not exist.
Section 6.2.1, "Basic Event View," on page 50
Lucene Query Parser Syntax
Searching
49
Advertisement
Table of Contents
Need help?
Do you have a question about the IDENTITY AUDIT 1.0 - GUIDE and is the answer not in the manual?