- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Query Using Structured Fields
The capability to query data in structured fields allows you to search complex data ingested in multiple formats. This includes the ability to query any fields stored in structured object formats and data enriched with geolocation IP information.
This functionality provides the following benefits:
It allows you to query on any dynamically-enriched fields, including fields that are not mapped to the Exabeam common information model (CIM), without the need to create a custom field (_c). This means that, beyond querying raw data, you can leverage your own enterprise data fields for search, such as a field like
geo_src_ip.country.It allows you to reference complex field structures in search queries, including geolocation IP information stored using a dot notation structure.
For more information, see Query Geolocation IP Fields:
Query Geolocation IP Fields
When Geolocation IP (GeoIP) fields are ingested in Log Stream, they are represented using a dot notation format that makes them available for search. This data can be used to enrich a range of IP fields that currently exist in the Exabeam common information model. For a list of the IP fields that can be enriched with GeoIP data, see the list in Fields Available for GeoIP Enrichment.
Enrichment with GeoIP data produces new geo named fields. For example, when a dest_ip field is enriched, the results will include both dest_ip and a new geo_dest_ip field. In the image below, an example is shown from the Event Details panel of a search result.
 |
To query for GeoIP fields in Search, select the Advanced option from the Search mode drop down menu. In the Search bar, use the following syntax: geo_dest_ip.field:"value" or geo_src_ip.field:"value"
Examples:
geo_dest_ip.country:"US"geo_src_ip.city=="glenmont"geo_src_ip:[1.0.0.0 To 127.255.255.255]geo_dest_ip.latitude=="40.537"
The following types of GeoIP fields are supported for Search:
geo_dest_ip | geo_src_ip |
geo_dest_ip.city | geo_src_ip.city |
geo_dest_ip.country | geo_src_ip.country |
geo_dest_ip.latitude | geo_src_ip.latitude |
geo_dest_ip.longitude | geo_src_ip.longitude |
geo_dest_ip.isp | geo_src_ip.isp |
Note
Limitation
Autocomplete is not currently available, so when entering a GeoIP field name in a query, you must know the full and precise field name. See the list above for the available GeoIP fields.
Fields Available for GeoIP Enrichment
The following set of Exabeam common information model IP fields are currently available for Geolocation IP enrichment:
dest_ip
src_ip
Certain IP address ranges do not support enrichment with GeoIP information. These include the exclusion ranges listed in RFC 5735 of the Internet Engineering Task Force and other IP addresses that are reserved for a specific company (example: 168.63.129.16 is owned by Microsoft).