Run an analyzed log search

Data Explorer allows you to search through analyzed logs from all ingested log sources. You can:

Run a predefined search

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Exploration > Data Explorer.
  3. Optional: In the Date Range fields, click Calendar to select a time range.
  4. In the Load Query (Optional) list, select a preset or saved custom query.
    Tip: Preset queries are included with Data Explorer and cannot be edited. Saved queries are defined by users in your organization. If you select a saved query from the Load Query (Optional) list, the View Settings option will appear.
    After selecting a query from the Load Query (Optional) list, predefined values are added to the Query Builder.
  5. Click Run Query .

  6. Optional: Complete any of these actions:

Create and run a query

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Exploration > Data Explorer.
  3. Optional: In the Date Range boxes, click Calendar to select a time range.
  4. In the Query Builder section, use operators to define a dataset.
    For more information, see:
    Tip: You can start by loading a predefined query into the Query Builder. In the Load Query (Optional) list, select a predefined query. Then, modify the query as desired.
  5. Optional: Add a regex template to your query:
    Note: Arctic Wolf® uses RE2 and Java regex engines. Support for Lucene regex expressions is not available.
    1. In the Data Explorer section, click Regex Templates.
    2. In the Search templates box, filter and search for a regex template, such as IP address, and then select the desired regex template.
    3. Click Use in Query.
      Tip: Click Copy Pattern to manually insert the regex pattern into a query.
    4. In the Select a Field dialog, select the field for the regex template, and then do one of these actions:
    1. Click Insert into current query to insert the regex template into your current query.
    2. Click Start new query to copy the regex template and start a new query.
      Note: This action removes any Data Explorer and operator fields you previously selected.
  6. Click Run Query .

  7. Optional: Complete any of these actions: