Self-service search
What is self-service search?
The self-service search feature enables you to find and filter user events received from your data sources. You can explore the underlying user events and its attributes. These events help you to identify any data issues and troubleshoot them. The search page displays various facets (dimensions) and metrics for a data source. You can define your search query and apply filters to view the events that match your defined criteria. By default, the self-service search page displays user events for the last one month.
Currently, the self-service search feature is available for the following data sources:
Also, you can perform self-service search on the events that met your defined policies. For more information, see Self-service search for Policies.
How to access self-service search
You can access the self-service search by using the following options:
-
Top bar: Click Search from the top bar to view all user events for the selected data source.
-
Risk timeline on a user profile page: Click Event Search to view the events for the respective user.
Self-service search from the top bar
Use this option to go to the self-service search page from any place in the user interface.
-
Click Search to view the self-service page.
-
Select the data source and the time period to view the corresponding events.
Self-service search from user’s risk timeline
Use this option if you want to view the user events associated with a risk indicator.
When you select a risk indicator from a user’s timeline, the risk indicator information section is displayed on the right pane. Click Event Search to explore the events associated to the user and the data source (for which the risk indicator is triggered) on the self-service search page.
For more information on the user risk timeline, see Risk timeline.
How to use self-service search
Use the following features on the self-service search page:
-
Facets to filter your events.
-
Search box to enter your query and filter events.
-
Time selector to select the time period.
-
Timeline details to view the event graphs.
-
Event data to view the events.
-
Export to CSV format to download your search events as a CSV file.
Use facets to filter events
Facets are the summary of data points that constitute an event. Facets vary depending on the data source. For example, the facets for the Access Control data source are reputation, actions, location, and category group. Whereas the facets for Virtual Apps and Desktops are event type, domain, and platform.
Select the facets to filter your search results. The self-service search page displays the selected facets as chips. For more information on the facets corresponding to each data source, see the self-service search article for the data source mentioned earlier in this article.
Use search query in the search box to filter events
When you place your cursor in the search box, the search box displays a list of dimensions based on the user events. These dimensions vary according to the data source. Use the dimensions and the valid operators to define your search criteria and search for the required events.
For example, in the self-service search for access, you get the following dimensions for the access events. Use the dimensions to type your query, select the time period, and then click Search.
Supported operators in search query
Use the following operators in your search queries to refine your search results.
| Operator | Description | Example | Output |
|---|---|---|---|
| : | Assign a value to the search query | User-Name : John | Displays events for the user John |
| = | Assign a value to the search query | User-Name = John | Displays events for the user John |
| ~ | Search similar values | User-Name ~ test | Displays events having similar user names |
| ”” | Enclose values separated by spaces | User-Name = “John Smith” | Displays events for the user John Smith |
| <, > | Search for relational value | Data Volume > 100 | Displays events where data volume is greater than 100 GB |
| AND | Search values where both conditions are true | User-Name : John AND Data Volume > 100 | Displays events of user John where data volume is greater than 100 GB |
| * | Search values that match the character zero or more times | User-Name = John* | Displays events for all user names that begin with John |
| User-Name = *John* | Displays events for all user names that contain John | ||
| User-Name = *Smith | Displays events for all user names that end with Smith | ||
| != | Search values where the condition is not true | Country != USA | Displays events for the countries except USA |
The NOT EQUAL (!=) operator can be used only in the following conditions:
| Data source | Dimensions |
|---|---|
| Access Control | Country, City, Action, URL, URL Category, Reputation, Browser, OS, Device |
| Content Collaboration | Country, City, Client OS |
| Gateway | Authentication Stage, Client IP |
| Virtual Apps and Desktops | Country, City, App Name, Clipboard Operation, Browser, OS |
Note
For the NOT EQUAL operator, while entering the values for the dimensions in your query, use the exact values available on the self-service search page for a data source. The dimension values are case-sensitive.
For more information on how to specify your search query for the data source, see the self-service search article for the data source mentioned earlier in this article.
Select time to view event
Select a preset time or enter a custom time range and click Search to view the events.
View the timeline details
The timeline provides a graphical representation of user events for the selected time period. Move the selector bars to choose the time range and view the events corresponding to the selected time range.
The figure shows timeline details for access data.
View the event
You can view the detailed information about the user event. Click a user to get insight into their data.
The figure shows the details about the user’s access data.
Add or remove columns
You can either add or remove columns from the event table to display or hide the corresponding data points. Do the following:
-
Click Add or Remove Columns.
-
Select or deselect the data points from the list and then click Update.
If you deselect a data point from the list, the corresponding column is removed from the event table. However, you can view that data point by expanding the event row for a user. For example, when you deselect the TIME data point from the list, the TIME column is removed from the event table. To view the time record, expand the event row for a user.
Export the events to a CSV file
Export the search results to a CSV file and save it for your reference. Click Export to CSV format to export the events and download the CSV file that is generated.
How to save the self-service search
As an administrator, you can save a self-service query. This feature saves the time and effort of rewriting the query that you use often for analysis or troubleshooting. The following options are saved with the query:
- Applied search filters
- Selected data source and duration
Do the following to save a self-service query:
-
Select the required data source and duration.
-
Type a query in the search bar.
-
Apply the required filters.
-
Click Save Search.
-
Specify the name to save the custom query.
Note
Ensure the query name is unique. Otherwise, the query does not save.
-
Click Save.
To view the saved searches, select View Saved Searches.
In this example, the self-service query is User-Name = testuser. And, applied filters such as Event Type, Domain, and Platform are saved with the query.
To remove a saved search:
- Select View Saved Searches.
- Select the saved search that you want to remove.
- Click Remove saved search.
Note
- Only a query owner can edit or remove the saved search.
- You can copy the saved search link address to share with another user.