Using Search

When you need to investigate activity across all event types, use the Search tool. Search lets you match a word or phrase in any activity recorded across your network. Control the search in the following ways:

• Enter an appropriate search word or phrase.

• Focus the Global Criteria (in the left pane) on a time period or specific users.

• Select "Search in" activities relevant to your question; for example, choose only Online Searches and Web Sites if you're questioning Web surfing activity.

For example, you could search for the word gun in all Internet activities recorded for a single user within the last month —email, Web sites, online searches, and so on. The Dashboard looks for matches to gun in the selected activities and activity fields that you select. When it finds matches, the Search Results are displayed. You can view the events where matches were found and go directly to Screen Snapshots, User Explorer, or Data Explorer for further investigation.

Conducting a Search

To conduct a Search:

1. Enter your search term(s).
   Type a word or phrase in the Search box in the right pane. You can use quotation marks and AND / OR operators to refine the search, as described in Search Rules.
   
   

2. Check Include partial matches to broaden the matches returned, so that "terror" finds "terrorism," "sex" finds "sexual" and "Essex," and so on. Clear Include partial matches to match the word exactly.

3. Under Search in, select event activities to search.
   Click to check Chat/IM, Online Searches, Email, and so on. The search includes only checked activities. Unchecked activities will not be searched. To clear all activities, click the Clear button below the options.
   
   

4. Select event fields in which to search (optional).
   When you select an activity type to search, by default all event fields are selected to be searched. Click on an activity name, such as Chat/IMs,  to open a Search Fields box. Here, you can check the fields you want to search and clear the fields you don't need to search.
   
   For example, in the Chat/IMs Search Fields box, you might clear "Local User" and "Remote Users" if you are searching for a word in chat contents, such as gun.  Click OK to set the field selection. See Search Fields for more information on Search Fields for activity types.
   
   

5. Before executing the Search, check the Global Criteria in the left pane of the Dashboard. You can use Global Criteria to set a date range and specific computer or user data to search. For example, you can search data recorded on all computers for the previous month, but limit user logins on those computers to three names, as shown below.  Click Apply.  See Setting Global Criteria.
   
   

6. To execute the search, click the Search button in the right pane below the Search In options.
   Wait as the Dashboard searches the data. If you are searching a broad time period or across many users and activities, the search may take several minutes. A Cancel button allows you to exit out of the search.
   

7. View and explore the results. Results are shown as 8 hours of events per page. See Viewing Search Results.

Related Topics

Search Rules

Search Fields

Viewing Search Results

Viewing Search Details

Understanding Recorded Events