Siren Platform User Guide

Searching your data

You can search the indices that match the current index pattern by entering your search criteria in the Query bar. You can perform a simple text search, use the Lucene query syntax, or use the full JSON-based Elasticsearch Query DSL.

When you submit a search request, the histogram, Documents table, and Fields list are updated to reflect the search results. The total number of hits (matching documents) is shown in the toolbar. The Documents table shows the first five hundred hits. By default, the hits are listed in reverse chronological order, with the newest documents shown first. You can reverse the sort order by clicking the Time column header. You can also sort the table by the values in any indexed field. For more information, see Sorting the Documents Table.3.3.4 Viewing document data

To search your data, enter your search criteria in the Query bar and press Enter or click Search (fa-search.png) to submit the request to Elasticsearch.

  • To perform a free text search, enter a text string. For example, if you are searching web server logs, you could enter safari to search all fields for the term safari.
  • To search for a value in a specific field, prefix the value with the name of the field. For example, you could enter status:200 to find all of the entries that contain the value 200 in the status field.
  • To search for a range of values, you can use the bracketed range syntax, [START_VALUE TO END_VALUE]. For example, to find entries that have 4xx status codes, you could enter status:[400 TO 499].
  • To specify more complex search criteria, you can use the Boolean operators AND, OR, and NOT. For example, to find entries that have 4xx status codes and have an extension of php or html, you could enter status:[400 TO 499] AND (extension:php OR extension:html).

Note

These examples use the Lucene query syntax. You can also submit queries using the Elasticsearch Query DSL. For examples, see query string syntax in the Elasticsearch Reference.

Saving searches enables you to reload them into Discover and use them as the basis for visualizations. Saving a search saves both the search query string and the currently selected index pattern.3.5. Visualize

To save the current search:

  1. Click Save in the Siren Investigate toolbar.
  2. Enter a name for the search and click Save.

You can import, export and remove saved searches from ManagementSaved Objects.

To load a saved search into Discover:

  1. Click Open in the Siren Investigate toolbar.
  2. Select the search you want to open.

If the saved search is associated with a different index pattern than is currently selected, opening the saved search also changes the selected index pattern.

Changing which indices you are searching

When you submit a search request, the indices that match the currently-selected index pattern are searched. The current index pattern is shown below the toolbar. To change which indices you are searching, click the index pattern and select a different index pattern.

For more information about index patterns, see Creating an Index Pattern.3.9.1. Index patterns

Refreshing the search results

As more documents are added to the indices you are searching, the search results shown in Discover and used to display visualizations get stale. You can configure a refresh interval to periodically resubmit your searches to retrieve the latest results.

To enable auto refresh:

  1. Click Time Picker (fa-clock-o.png) in the Siren Investigate toolbar.
  2. Click Auto refresh.
  3. Choose a refresh interval from the list.

    Auto refresh intervals.

When auto refresh is enabled, the refresh interval is displayed next to the Time Picker, together with a Pause button. To temporarily switch off auto refresh, click Pause.

Note

If auto refresh is not enabled, you can manually refresh visualizations by clicking Refresh.