Using Search

Search - Click to enlarge

When you need to investigate activity of all types of any users on the network, use the Search tool. Search lets enter a search word or phrase and select activities in which to search. The Search tool queries data from ALL recordings within the criteria. For example, you could search for the word "gun" in all Online Searches and Keystrokes Typed. The Search Results display any matches to your search terms, and allow you to link directly to Screen Snapshots, User Explorer, or Data Explorer for further investigation.

To Search all data:

  1. Select the Search tool from the Dashboard navigation pane.

  2. In the right pane, enter your search term(s).
    Type a word or phrase in the Search for box. You can use quotation marks and AND / OR operators to refine the search, as described in Search Rules.

  3. Check Include partial matches to broaden the matches returned, so that "terror" finds "terrorism," "sex" finds "sexual" and "Essex," and so on. Clear Include partial matches to match the word exactly.

Narrow the Global Criteria and Search in options. If you include all users, all computers, and all recorded activities over a broad time period in the search, the search will be a lengthy process.  

  1. Under Search in, select event activities to search.
    Click to check Chat/IM, Online Searches, Email, and so on. The search includes only checked activities. Unchecked activities will not be searched. To clear all activities, click the Clear button below the options.

  2. Select event fields in which to search (optional).
    When you select an activity type to search, by default all event fields are selected to be searched. Click on an activity name, such as Chat/IMs,  to open a Search Fields box. Here, you can check the fields you want to search and clear the fields you don't need to search.

    For example, in the Chat/IMs Search Fields box, you might clear "Local User" and "Remote Users" if you are searching for a word in chat contents, such as gun.  Click OK to set the field selection. See Search Fields for more information on Search Fields for activity types.

  3. Before executing the Search, check the Global Criteria in the left pane of the Dashboard. You can use Global Criteria to set a date range and specific computer or user data to search. For example, you can search data recorded on all computers for the previous month, but limit user logins on those computers to three names, as shown below.  Click Apply.  See Setting Global Criteria.

  4. To execute the search, click the Search button in the right pane below the Search In options.
    Wait as the Dashboard searches the data. If you are searching a broad time period or across many users and activities, the search may take several minutes. A Cancel button allows you to exit out of the search.

  5. View and explore the results. Results are shown as 8 hours of events per page. See Viewing Search Results.

Related Topics

Search Rules

Search Fields

Viewing Search Results

Viewing Search Details

Understanding Recorded Events