Skip to Content

Report Query screen

The Query page is accessed by clicking the Reports tab, and then clicking the Query tab. You can also access this page in one of the following ways:

  • From the Messages > Search page
  • Click the Run Query hyperlink at the top of every product page

The Query tool provides an alternate way of searching data from the Messages > Search page, scanning all messages for simple or complex match patterns. The page launches a background process to perform the query. The query results and the status of the query are displayed on the Query page, as in the following image:

queryResults.png

The Query page provides many different features to simplify the query operation of the operator. You execute a query as a background process by clicking the Generate option to display the Query page, filling out the query form, and clicking Confirm.

As the background process executes, the results of the query are periodically displayed on the screen along with the progress of the query. You can terminate the background process and enter a new query using a Terminate option that is displayed while a background query runs.

Additionally, the screen provides various functions to search the query results, and to review and search query history. The following hyperlinks are available at the top of the Query page:

  • Search These Results—Click the hyperlink to open the Search These Results page so you can search the query results for an additional keyword and sort the query results in ascending or descending order.
  • Graph Results—Click the hyperlink to see a simple graph showing the message results over a period of time. You can drill down into the graph to see the messages for the time interval. This provides a time view of the query results, especially useful for forensics.
  • History—Click the hyperlink to access the Query History page, which shows the last 10 queries you executed. On the Query History page, you can select a past query and results, and load these items into the main display. You can also search history for specific keywords contained in any of the query results.
  • Analyze—Click the hyperlink to access the Analysis function, which breaks the query results into a list of devices, users, facilities, and severities contained in the message. This Analysis function is similar to the Catalog displays, and enables you to view and drill down into smaller message sets.
  • Saved Queries—Click the hyperlink to view saved queries. Saved queries are specific to the signed-in user and simplify repetitive query operations.

As the query runs, the progress of the background query is displayed in the preceding page hyperlinks. This query status updates approximately once every ten seconds to indicate the progress of the query. Additionally, the page refreshes approximately every fifteen seconds (which you can select) to show the latest results.

Warning

Note

You do not have to wait on the page for the background query to finish. You can leave the Query page at any time and then return to see the latest results or termination status of the query. 

The query results are retained on the main page until the next query, or until you click the Clear button at the top of the page. This allows you to launch a long-running query, and then leave the page to perform other BMC Defender Server activities (or perform other web browsing of the network). At a later time, you can return to the page to collect the query results.

Report Query page, additional features

The following feature are also available from the Report Query page:

Feature

Description

Downloading query results

The Query page allows you to download the results of the query in several different formats: You can download HTML, CSV, raw text, and PDF reports. As such, the query facility is an excellent way to create ad-hoc evidence associated with audits, such as to produce evidence of a user's suspicious behavior, failures of a particular application, or other situation requiring a static report for later reference.

Saving and sharing queries

You can use the Saved Queries function to save queries for later use, and share saved queries (if configured to share from the System > Parameters page). This provides a mechanism for configuring site-specific queries that might apply to certain complex forensic situations.

Executing and terminating queries

You can execute that only one query at a time.

You must terminate the current query before starting a new one. Each signed-in user can execute their own queries without interference with other users of the BMC Defender Server system.

Extracting data efficiently

The Query function is a much more rigorous way of extracting data from BMC Defender Server, complementing the Messages > Search facility, but supporting forensics and analytics in a better way.

The default LogFile search is the slowest but most rigorous way of extracting data from the system, and scans all log files on the system for data; this is rigorous but extremely slow. A better way of performing a query is to search a particular correlation thread, which can be 1,000 times faster than simply searching all log data from beginning to end.


Related topic

Running-a-search-query

Report-screens

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC Defender SIEM Correlation Server 6.0