Specifying Parameters for a New Search

Procedure

  1. Select Search > Regular Expression Search from the navigation menu.
  2. (Management Station only) Select the appliance (or All Appliances) on which to run the search.
  3. Select the Device Type.
  4. Select the Source Device, or all devices, connected to the appliance.
    To view Global groups created on this Management Station, you must select Appliance > All Appliances.

    Devices with Collector Domain are displayed in one of two ways:

    • For Collector Domains specified in a UC the following format: <collector domainid>_<device IP>_<devicetype> is displayed in the Name field. For example a windows machine with an IP address of 10.10.10.10 and collector domain is displayed as 1_10.10.10.10_windows.
    • For Collector Domains specified in LogLogic LMI (Managment > Devices > AddNew) the Collector Domain name is displayed in the Collector Domain field.
  5. Specify the Time Interval which to search for data passing through your appliance.
  6. Define your Search Filter. Select one of the following options and specify the respective parameters.
    • Retrieve All—Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.
    • Pre-Defined—Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple parameter fields, a text field for each parameter appears. The maximum length for each field is 25 characters.
    • Use Words—Use a specific word(s) as a search parameter.
    • Use Exact Phrase—Use an exact phrase as a search parameter.
    • Regular Expression—Use a regular expression as a search parameter.

      For more information about modifying or creating search expressions, see Search Filters.

  7. Specify the Time Interval to search for data passing through your appliance.
  8. Set a time for the search; do one of the following:
    • Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately.
    • Define a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.
  9. Enter a Search Name for the search.
  10. Select the Notify me when this search completes checkbox to receive a notification that the search has completed.
  11. To generate the report, click the Run button.
    Note: Concurrent Regular Expression Searches apply only to the appliance models later than the 1000 series. You can select the number of concurrent searches to perform. The default is one, but you can choose to perform up to four searches concurrently. To specify more than four, you must edit the capability.xml file.