Log Search
此内容尚未提供中文翻译。
Log Search is the primary investigation tool for SOC analysts. It provides full-text search across all ingested security logs with real-time filtering, field analysis, and export capabilities.
Search Interface
Query Syntax
- Full-text search: Type any keyword to search across all log fields
- Field-specific: Use
field:valuesyntax (e.g.,src_ip:192.168.1.100) - Boolean operators: Combine with
AND,OR,NOT - Wildcards: Use
*for partial matching (e.g.,host:web-*)
Search Chips
Click any field value in search results to add it as a field:value filter chip. Active chips appear below the search bar. Click a chip again to remove it. Multiple chips are combined with AND logic.
Global Search Shortcut
Press Ctrl+K / Cmd+K from any page to open global search. Default prefix routes to Log Search.
Time Range
The default time range is 24 hours.
Preset Options
Select from predefined ranges: 15m, 1h, 6h, 24h, 7d, 30d, or set a custom date/time window.
Quick Buttons
The header includes quick-access buttons for the most common ranges: 24H, 7D, and 30D.
Histogram Chart
A severity-colored stacked bar chart displays log volume over the selected time range.
Severity Colors
Each bar is stacked by severity level: Critical, High, Medium, Low, and Info.
Tick Format
- 15m / 1h / 6h:
HH:mm - 24h / 7d:
MM/DD HH:mm - 30d:
MM/DD
Data Source
The histogram uses server-side aggregation for accurate counts on most ranges. For the 30d range, client-side aggregation is used to reduce server load.
Tooltip
Hover over any bar to see a breakdown of event counts by severity level.
Severity Legend
A legend is displayed alongside the histogram with all five severity levels:
| Severity | Description |
|---|---|
| Critical | Confirmed threats requiring immediate response |
| High | Likely threats requiring prompt investigation |
| Medium | Suspicious activity worth reviewing |
| Low | Minor anomalies for awareness |
| Info | Informational events for context |
Layout
Fixed Header + Scrollable Results
The search bar, time range controls, quick buttons, and histogram remain fixed at the top of the page. Search results scroll independently below.
Field Browser
A field browser panel on the left side lists all available log fields with value distribution statistics. The field browser has its own independent scroll, separate from the results table. Click any field to add it as a search filter or display column.
Loading Spinner
When a query is running, a loading spinner appears sticky at the top of the results table rather than as a centered overlay, so you can still see previously loaded results.
Features
Search Highlighting
Matching terms are highlighted in search results using the <HighlightText> component, making it easy to spot relevant data in large log entries.
Live Mode
Activate Live Mode to stream new events in real time. New events are prepended to the top of the results table as they arrive.
Click-to-Filter
Click any cell value in search results to add it as a filter condition. This enables rapid drill-down without manually typing queries.
Copy-to-Clipboard
Copy field values (IPs, hostnames, hashes) directly from detail views for use in other investigation tools.
Entity Pivot
Click on entities (IPs, hostnames, users) to navigate to related log entries with a pre-filled search query.
Export
Export search results as CSV or JSON for offline analysis or reporting.
Access Requirements
Log Search is available on all tiers including Detect (Free).