- Search Overview
- Search Home Page
- Performing Searches
- Basic Search
- Advanced Search
- Advanced Search Building Blocks
- Running an Advanced Search Query
- Query Syntax
- Query by Subject
- Query by Vendor and Product
- Query by Field and Value
- Query by Context Table
- Query Using Regex
- Free Text Search
- Query Using Advanced Query Language Operators
- Query Using Aggregation Functions
- Query Using Structured Fields
- Dynamic Field Extraction
- Natural Language Search
- Anomaly Search
- Refine a Search
- Context Tables in Search
- Search Best Practices
- Search Results
- Dashboard Visualizations
Export Search Results
Use the export functionality to download the search results to your local computer. You can capture the results to attach them to another system, or when you need to work with the data outside of the Exabeam interface.
To export events:
After, or while a search is running, click Export Events.
Fill in the export parameters. You can choose to export just the raw logs, or the raw logs along with all or some of the parsed fields.
Time Range – Select a quick or an absolute time range for the events you want to export.
Sorting – Choose whether you want the exported events to be sort by Recent First or Oldest First. This option is not available if the query contains syntax that does not support result sorting.
File Name – Enter a file name for the exported events file.
Data Format – Select one of the following options from the drop-down menu. The export file is compressed and delivered as a zipped file.
Parsed Fields — This format exports the events in a comma separated value (CSV) file with field-specific columns and multiple result rows. The columns that are included depend on the option you select for the Field Template.
Raw Logs — This format exports the events in a comma separated value (CSV) file with a single column for each result row.
Include null fields – Select to include null fields when exporting events. By default, this check box is not selected and null fields are excluded from export.
Include raw logs – Select to include raw log data when exporting events (must select Parsed Fields in the Data Format menu).
Field Template – If you selected Parsed Fields in the Data Format menu, you can select All Parsed Fields or select a specific field template from the drop-down list.
Note
Hover over any field template name to see a list of fields that are included in the template.
Click Export. The compressed exported events file is stored in My Downloads and you will receive a notification when the export is complete.
To download and extract the CSV events file:
Click the notification when it is displayed or click the Your Notifications icon (
) in the top right corner of the screen.Click the My Downloads link in the notice. The My Downloads list opens.
Find the exported file you want to download in the My Downloads, list and click the Completed link in the Status column to download the compressed file to your hard drive for extraction.
Note
Export files expire after 30 days and will no longer be available in the history, or for download.
Note
Search can export up to 20 million search local query results. These results will be batched in files based on their size, up to 1GB per file, and zipped together.