Setting up the search query
On the first page of the task configuration wizard, one can set, view, or change the settings that determine which log records and data objects the task will look for:
•Query - One or more strings that determine the words or phrases to find. By default, the strings are combined by AND logic, that is, the search returns the items that match each of the strings specified.
Search groups and saved queries can be added to the Query box as follows:
•To add search groups, click the
Content Database button. Then, in the dialog box that appears, double-click the desired group, or select group/s to add and click the
Add button. For more information on search groups, see
Managing content-aware search groups.
In the Query box, a search group is presented by its name enclosed in percent signs: %group_name%. It is possible to add a search group by typing a percent sign followed by the group name. As you type, a list of groups that match the entered name appears in the Query box, allowing you to select the desired group from that list.
•To add a previously saved query, click the
Saved Query button. Then, in the dialog box that appears, double-click the desired saved query, or select it and click
OK. For more information on saved queries, see
Managing saved queries.
When composing a query string, one can use commands from the shortcut menu that appears upon a right-click in the Query box:
•Insert - Displays commands to add a logical operator to the query string. Operators such as
AND/
OR can be added by typing them in uppercase, or by choosing an operator from the
Insert menu. For details, see
About logical operators.
To display commands for adding logical operators, one could also press Ctrl+D after clicking in the Query box.
•Save as - Saves the current query strings for future reuse. For more information, see
Managing saved queries.
The shortcut menu in the Query box also provides the standard commands for working with text, such as Cut, Copy, Paste, etc.
•Display <number> results per page - The number of search results to be included on the task’s report page.
•Limit results to the following logs - Check boxes to specify the logs to search. One can select any combination of these logs:
•Audit Log (selected by default)
•Shadow Log (selected by default)
•Deleted Shadow Data Log (selected by default)
•UAM Log
•Server Log
•Monitoring Log
•Policy Log
•Limit results to the following date range - Options to search for only the log records in a certain date range:
•From - One can choose the range beginning from the earliest record date in the log (option First Record), or select a certain date (option Records On). In the latter case, the search is performed on records made no earlier than the selected date.
•To - Together with the From setting, one can set the range end to the latest record date in the log (option Last Record), or select a certain date (option Records On). In the latter case, the search is performed on records made no later than the selected date.
•Last - If selecting this option instead of From, one can configure the search to include only the records for a certain number of past days, weeks, or months before the date that the search is performed. Select the desired number and time unit (days, weeks, or months).
•Limit results to the following parameters - Options to search for only the items that match the following settings:
•Sender(s) - Sender identifiers for the following protocols: IBM Notes, ICQ Messenger, IRC, Jabber, Mail.ru Agent, MAPI, Skype, SMTP, Telegram, Viber, Web Mail, WhatsApp, Zoom. The search returns the results associated with the specified sender/s.
To specify multiple senders, separate their identifiers by a semicolon (;). Identifiers may include wildcards such as an asterisk (*) to denote any sequence of zero or more characters and a question mark (?) to denote any single character.
•Recipient(s) - Recipient identifiers for the protocols IBM Notes, ICQ Messenger, IRC, Jabber, Mail.ru Agent, MAPI, Skype, SMTP, Telegram, Viber, Web Mail, WhatsApp, Zoom, as well as for the following social networks: Facebook, Google+, LiveJournal, LinkedIn, LiveInternet, Myspace, Odnoklassniki, Twitter, VKontakte. The search returns the results associated with the specified recipient/s.
To specify multiple recipients, separate their identifiers by a semicolon (;). Identifiers may include wildcards such as an asterisk (*) to denote any sequence of zero or more characters and a question mark (?) to denote any single character.
•File Type(s) - File type description (either full or partial), such as “Zip 1.0”, “E-Mail message (Var.2)”, “Disk Image (Macintosh)”. The search returns the results associated with any of the specified file types.
To specify multiple file types, separate file type descriptions by a semicolon (;). Descriptions may include wildcards such as an asterisk (*) to denote any sequence of zero or more characters and a question mark (?) to denote any single character.
•Source(s) - Select device type/s or protocol/s from the drop-down list. The search returns the results associated with any of the selected device type/s or protocol/s.
•Show only new results - If this check box is cleared, search results always include all items that match the search query. Select this check box to exclude from search results the items found during the previous runs of the task. When this check box is selected, the task reports behave as follows:
•The first report after creating the task or changing the task’s search query includes all items found.
•Each subsequent report includes only those items found that were not included in any of the preceding reports.
Important: For an existing task, if one changes the search query or any of the settings listed above, the first report after the change always includes all items found, regardless of whether or not the Show only new results check box is selected. |