The Search Tool is launched by navigating to Status > Search. This tool provides the means to search through all of the flows stored in the database for specific flows.
There are two search options available:
- Saved Flows search
- Host Index search
Only the 1 minute interval tables contain 100% of all flows collected. To make sure the system is querying 1 minute interval data, limit the search to under 1 hour of time. Visit the Admin>Settings>Data History page and increase the “Maximum Conversations” saved per interval value to increase the volume of flows saved per interval. Be aware that this will likely require more hard disk space. Before making any changes, visit the Dashboard tab>Vitals (or Status>System>Vitals) to view how much hard drive space is being consumed.
1) Saved Flows search¶
The Saved Flows search allows a search on the following fields:
- Source Host
- Destination Host
- Source or Destination Host
- User as Source
- User as Destination
- Wireless Host
- Wireless SSID
The User as Source and User as Destination search fields allow a search by Username if they are being collected from the authentication servers.
Other search options:
- Either All exporting devices or a specific exporter
- Selecting the time range for the search. The time range can be either a predefined time range, such as Last 5 minutes, Last Ten Minutes, etc., or a custom timeframe.
If flows meet the search criteria for the Saved Flows search, a Host to Host report will return the results of the search.
2) Host Index search¶
The index is a list of all IP addresses that have been seen in flows either as the source or destination of a flow. Because it is an index, it does not contain the entire flow contents. The Host Index search is used to perform extremely fast searches for hosts.
Simply enter the host IP address in the search textbox and click the Search button. If the host is found as either Source or Destination in any flows stored in the database, Scrutinizer will return a list including:
- Device (exporter’s IP address)
- First Seen
- Last Seen
- Flow Count
Clicking on an IP address in the Device list will open a Report menu. The report selected will report on the last hour of flows received by the host selected.
The Host Index search requires that Host Indexing in Admin -> Settings -> System Preferences is enabled.
The host index will retain IP addresses for 365 days by default. To make changes, visit Admin tab -> Settings -> Data History and modify the “Days of host index data”. Keep in mind that even though the host index has the IP address searched on, the flows used to build the index may have been dropped by the rollup process.