Saved Search Definitions#

Overview#

A saved search definition creates a dashboard and report with the title being the name you give the definition.

You can create any number of combinations of saved search definitions on any log source (i.e. multiple search definitions on a DNS log).

The Saved Definitions drop-down lists all saved search definitions. Each saved search definition is a resource from which data can be pulled into a widget on a dashboard and report as you design them.

saved-definitions

Configure Search Definitions#

This procedure configures a search definition to add a dashboard and report.

  1. On the Insights Dashboard toolbar, click the toolbar System Configuration (Cog) icon cog-icon, then select Search.

  2. On the Create Definitions tab, determine which logs contain the data you wish to analyze.

    An example is DNS Logs from a Bind9 open source DNS server. In this case, type any word contained in these logs, such as “queries”, and then ensure that you have the log coming from the Bind9 DNS server.

  3. Extract the fields you wish to analyze (perform this step for each field you wish to extract):

    • Highlight the field by dragging the cursor over it, or double click the field.

    • In the Extract Field dialog, fill out the field name.

    • Click Save.

      The automated Regular Expression engine extracts the field and saves the field name, which displays beneath Saved Definitions.

    build-dash-extract-1

  4. Click the +Field button, then from the Type drop-down, choose a field type, based on the context of the log, either Text, Integer, Float, Epoch Date, or Calculation.

    build-dash-extract-2

    Note

    When selecting field type “Calculation”, you’ll need to specify the math to derive an integer result. An example is a bandwidth calculation. In this case, the result is stored with the definition and will be available to utilize on a dashboard.

    Drag the field(s) to calculate, add a numeric input, and then design the equation by dragging the operands and groupings.

    The equation will display below the bar to allow for easy checking of the logic. Click Test Calculation to allow the system to perform the math and display the results for further logic testing before saving the calculation.

    build-dash-extract-calc

  5. Repeat these steps for each field you wish to analyze.

  6. Once complete, fill out a name for the new search definition.

Manage Saved Search Definitions#

This procedure clones, edits, and deletes saved search definitions/resources.

  1. On the Insights Dashboard toolbar, click the toolbar System Configuration (Cog) icon cog-icon, then select Search.

  2. On the Create Definitions tab, select a saved search definition from the drop-down.

  3. Choose an option:

    • Click Clone to copy an existing saved search definition, then give the clone a new name. Now you can simply change only the field extractions you want instead of creating them from new.

    • Modify an existing saved definition, then click Save.

      When saving a modified definition, the dashboard updates when new log data arrives into the system.

    • Click Delete to remove a search definition from the list.