- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Advanced Search
In the Advanced search mode, you can construct your own search queries using Exabeam Query Language (EQL) syntax and operators. The Advanced search mode includes several features to facilitate ease of use and readability when creating complex queries:
White space characters (such as spaces, tabs, and line breaks) can be used between query syntax terms. This formatting is preserved when a query is saved.
Line numbering is displayed for queries that are formatted on multiple lines.
Color-coding is used to make syntax elements recognizable.
Warnings and syntax validation errors are displayed per line.
Advanced Search Building Blocks
For information about using Advanced query syntax and operators, see the relevant sections below:
Running an Advanced Search Query
Before you begin, understand the Advanced Search Building Blocks and Search Best Practices.
On the Search home page, click the Search Mode drop down menu under the search bar and select the Advanced option. The search bar changes to present a numbered line area to enter query syntax.
Click in the search bar to begin building your query.
As you enter a field name in the search bar, a list of suggested fields is populated and you can opt to select a field from the list. Then populate a search value for the field using the appropriate syntax.
Advanced search suggestions are context-relevant and are updated dynamically depending on the type of clause or syntax you are entering. For easy visual recognition, the suggestions are prefixed with icons that indicate what type of syntax the suggestion represents:
– A key word, such as SELECT or WHERE
– A logical operator, such as AND or OR
– A field, such as vendor or subject
– A field value, such as Exabeam (for a vendor field) or alert (for a subject field)
– A function, such as RGX or RGX_EXTRACT
Correct any query validation errors that are identified by the Advanced Search. Validation errors and warnings are indicated by a symbol displayed next to the affected line. Errors must be corrected before you can run the query, but warnings are not required to be corrected. If you hover your cursor over the error count at the bottom of the search bar, a list of errors is displayed.
Tip
In some cases, the warning or error indications (icons and highlighting) might not appear at the exact location of the syntax issue. When the syntax is invalid, it can become ambiguous and, without knowing the user's intention, cannot identify the exact error location. For example, in the case of a missing character, the icon and highlighting may appear not at the exact location of the omission, but later in the query syntax.
Select a time range for the search results by clicking the time range icon (
) in the top left corner of the search bar. A dialog box opens where you can select various Quick, Relative, or Absolute time ranges.Click the Search icon (
) to launch your query.