Self-service search

The self-service search feature enables you to find and filter user events received from your data sources. You can explore the underlying user events and its attributes. These events help you to identify any data issues and troubleshoot them. The search page displays various facets (dimensions) and metrics for a data source. You can define your search query and apply filters to view the events that match your defined criteria. By default, the self-service search page displays user events for the last one month.

Currently, the self-service search feature is available for the following data sources:

Also, you can perform self-service search on the events that met your defined policies. For more information, see Self-service search for Policies.

You can access the self-service search by using the following options:

  • Top bar: Click Search from the top bar to view all user events for the selected data source.

  • Risk timeline on a user profile page: Click Event Search to view the events for the respective user.

Self-service search from the top bar

Use this option to go to the self-service search page from any place in the user interface.

  1. Click Search to view the self-service page.

    Top bar search

  2. Select the data source and the time period to view the corresponding events.

    Top bar search page

Self-service search from user’s risk timeline

Use this option if you want to view the user events associated with a risk indicator.

When you select a risk indicator from a user’s timeline, the risk indicator information section is displayed on the right pane. Click Event Search to explore the events associated to the user and the data source (for which the risk indicator is triggered) on the self-service search page.

Risk timeline search

For more information on the user risk timeline, see Risk timeline.

Use the following features on the self-service search page:

Search overview page

Use facets to filter events

Facets are the summary of data points that constitute an event. Facets vary depending on the data source. For example, the facets for the Access Control data source are reputation, actions, location, and category group. Whereas the facets for Virtual Apps and Desktops are event type, domain, and platform.

Select the facets to filter your search results. The self-service search page displays the selected facets as chips. For more information on the facets corresponding to each data source, see the self-service search article for the data source mentioned earlier in this article.

Use search query in the search box to filter events

When you place your cursor in the search box, the search box displays a list of dimensions based on the user events. These dimensions vary according to the data source. Use the dimensions and the valid operators to define your search criteria and search for the required events.

For example, in the self-service search for access, you get the following dimensions for the access events. Use the dimensions to type your query, select the time period, and then click Search.

Search query

Supported operators in search query

Use the following operators in your search queries to refine your search results.

Operator Description Example Output
: Assign a value to the search query User-Name : John Displays events for the user John
= Assign a value to the search query User-Name = John Displays events for the user John
~ Search similar values User-Name ~ test Displays events having similar user names
”” Enclose values separated by spaces User-Name = “John Smith” Displays events for the user John Smith
<, > Search for relational value Data Volume > 100 Displays events where data volume is greater than 100 GB
AND Search values where both conditions are true User-Name : John AND Data Volume > 100 Displays events of user John where data volume is greater than 100 GB
* Search values that match the character zero or more times User-Name = John* Displays events for all user names that begin with John
    User-Name = *John* Displays events for all user names that contain John
    User-Name = *Smith Displays events for all user names that end with Smith
!= Search values where the condition is not true Country != USA Displays events for the countries except USA

The NOT EQUAL (!=) operator can be used only in the following conditions:

Data source Dimensions
Access Control Country, City, Action, URL, URL Category, Reputation, Browser, OS, Device
Content Collaboration Country, City, Client OS
Gateway Authentication Stage, Client IP
Virtual Apps and Desktops Country, City, App Name, Clipboard Operation, Browser, OS


For the NOT EQUAL operator, while entering the values for the dimensions in your query, use the exact values available on the self-service search page for a data source. The dimension values are case-sensitive.

For more information on how to specify your search query for the data source, see the self-service search article for the data source mentioned earlier in this article.

Select time to view event

Select a preset time or enter a custom time range and click Search to view the events.

Time selection

View the timeline details

The timeline provides a graphical representation of user events for the selected time period. Move the selector bars to choose the time range and view the events corresponding to the selected time range.

The figure shows timeline details for access data.

Timeline details

View the event

You can view the detailed information about the user event. Click a user to get insight into their data.

The figure shows the details about the user’s access data.


Add or remove columns

You can either add or remove columns from the event table to display or hide the corresponding data points. Do the following:

  1. Click Add or Remove Columns.

     Update events

  2. Select or deselect the data points from the list and then click Update.

    Update columns

If you deselect a data point from the list, the corresponding column is removed from the event table. However, you can view that data point by expanding the event row for a user. For example, when you deselect the TIME data point from the list, the TIME column is removed from the event table. To view the time record, expand the event row for a user.

Hidden attributes

Export the events to a CSV file

Export the search results to a CSV file and save it for your reference. Click Export to CSV format to export the events and download the CSV file that is generated.

CSV export

As an administrator, you can save a self-service query. This feature saves the time and effort of rewriting the query that you use often for analysis or troubleshooting. The following options are saved with the query:

  • Applied search filters
  • Selected data source and duration

Do the following to save a self-service query:

  1. Select the required data source and duration.

  2. Type a query in the search bar.

  3. Apply the required filters.

  4. Click Save Search.

  5. Specify the name to save the custom query.


    Ensure the query name is unique. Otherwise, the query does not save.

  6. Click Save.

To view the saved searches, select View Saved Searches.

In this example, the self-service query is User-Name = testuser. And, applied filters such as Event Type, Domain, and Platform are saved with the query.

Save self-service search

To remove a saved search:

  1. Select View Saved Searches.
  2. Select the saved search that you want to remove.
  3. Click Remove saved search.

Remove saved search


  • Only a query owner can edit or remove the saved search.
  • You can copy the saved search link address to share with another user.
Self-service search