- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Context Tables in Search
When using search, you can select up to two context tables to include in your query. Including context tables allows you to search inside any field and compare the values to values in in the context tables. When building the query using Basic Search, you can select context tables from a list. In Advanced Search, you can type the table name into the query. Search performs a data type validation between the field you select and the content within the selected context tables.
When using Basic Search, a preview of the first 3 rows of the selected context table are displayed.
Note
Context table names are used instead of IDs, so a saved search will stop working if it uses a context table, and that table is renamed.
Follow the rules below when using context tables in a search:
You cannot use a context table that has more than 100,000 rows. If a context table is larger than this, it will not show up in the context table list, available for selection.
Both custom and filtered context tables can be used in Search.
There must be at least one entry in the context table in order for it to be selectable in Search.
Context table lookup is only available for fields that are of a string-like type (string, ip, email, etc.) or number type (number, integer). It is not available for other types (Boolean, time, etc).
Note
Context search performs case insensitive, exact match searching and NOT token searching. For example, searching for an ID of "james" will return results for "james", "James", and "JAMES".
You can use a maximum of two context table lookups per search query.
Context table lookups can only be added to a query with AND or AND NOT logic.
Context table lookups are are limited to a 30 day sliding window.
There are several restrictions when using context tables in a search based on the license you hold:
The search query time range must be within the number of months in your license, plus additional months if you are subscribed to any extended retention add-ons.
Note
If the search query is beyond the allowed time range, you will not be able to use a context table and will see a message explaining that the time range is beyond the allowed period.
If your license restricts the use of third party logs:
and you have an Exabeam Security Analytics license, your query will only return the first 10 events from third party logs.
and you have an Exabeam Security Investigation license, you will have 7 days of full search, and then will be restricted to the first 10 events from third party logs.