Skip to content

Activity & Config Search

Overview

Activity, Config, and Collections provide a similar search interface to find what you are looking for. The differences between these are:

  1. Acitivity search includes a start and end time/date range to encompass when a change happened. Results shown are any changes that match the search terms and have a Modified Date within the time/date range.
  2. Config search allows a single point-in-time for search purposes which shows the known configuration at that time. In other words, Modified Date occured before the time specified. The default "now" provides results showing the latest config. Config search also requires at least one search term, is limited to 1000 results maximum, and returns the current configuration only (not changes) for a particular element + service definition + resource combination.
  3. Collections are used to group elements based on the search criteria against the current configuration. The Last Checked (MonitoredAt) field is used to determine inclusion and avoid matching out-of-date configs. Collections are used in certain configuration (such as Policies) but can also be used within other searches. When managing Collections the results show the list of matching elements.

Search Interface

Search Bar Search Bar Editing

The search bar allows you to add/edit search terms, clear the search, and refresh the search.

  1. Category: Specify the category for new search terms. See Categories & Fields below for more information.
  2. Term: Add a search term. By default hitting enter will add a logical OR term. If logical AND is desired then use the AND button. To edit an existing search term select the term and the input will update to the current value. The OR/AND options are replaced by Save/Cancel when editing.
  3. OR/AND: Used when adding terms (2).
  4. Clear: will clear all search terms.
  5. Refresh: refresh the search results. Note that any time a term is added, modified, or removed the search is refreshed automatically.
  6. Search Terms: OR terms of the same category are grouped together with AND terms on separate lines.
  7. Selecting a search term enters edit mode. The term input (2) updates to the term value and the term now shows some controls (left-to-right):
    1. Disable/Enable: disable will keep the search term it is not used in the search.
    2. Negate: Logical NOT the term, will also update the colour to red.
    3. Delete: remove the term.
    4. Close: exit edit-mode (or hit ESC or click the Cancel button)

The example screenshot above is from the Activity app and so also has the date/time range shown Last 5 Years. Select this to change the range. Config is similar, and Collections have a separate input field Last Checked Within to specify what is considered current.

Wildcard (default) and Exact Match

When adding search terms the default is to perform a wildcard search which is not case sensitive. Wildcard symbols are not needed or supported explicitly.

In the example search above the term /etc/hosts is a wildcard search and would match any resource that contains that string regardless of case, e.g. /etc/hosts.allow or /backup/etc/HOSTS.

If an exact match is desired then surround the term with double quotes. Also in the example search above "/etc/hostname" is an exact match and will only match resources with that exact specific name and matching case.

Some categories additionally support further restricting a search to specific fields. In the example search above the term group:"root" searches the group field in the Property category for the exact match root. Field search supports both wildcard and exact matches, so for example group:root will also work.

Refer to Categories and Fields below for more details. Note that field names are not case sensitive when doing field search.

Categories and Fields

Category Description
Content Search within the content of the entries. Performing an exact search on content will give the same answers as a wildcard search.

Note: Activity also supports the following field search:
  • SearchableDiffContent (search for content added or removed)
Example searches:
  • something (wildcard entire content)
  • SearchableDiffContent:-something (wildcard content removed)
  • SearchableDiffContent:+something (wildcard content added)
  • SearchableDiffContent:something (wildcard added or removed)
  • SearchableDiffContent:"-whole line" (exact content line removed)
Address Search for entries by element addresses or names. All fields are searched by default. Field and exact search are supported with some exceptions noted below:
  • Address (primary IP)
  • ContainerID
  • ContainerName
  • ContainerImage
  • IP Addresses (not for field search)
  • Virtual IP Addresses (not for field search)
  • MAC Addresses (not for field search)
  • Host/Domain Names (not for field search)
When searching for an IP address CIDR notation is also supported. Example searches:
  • "server.location.siff.io" (exact hostname)
  • location.siff.io (wildcard hostname)
  • 10.3.0.0/24 (CIDR search)
  • 192.168.0 (wildcard IP)
  • "192.168.0.1" (exact IP)
  • aa:bb:cc:dd:ee:ff (MAC address, not available on all device types)
  • containerimage:wordpress (wildcard field specific)
Collection Search using an existing Collection by name. When used this way the collection is a list of elements and the search includes/restricts the results to only these elements.
Platform Search based on the type of element. All fields are searched by default. Field and exact search are supported:
  • OSPlatform
  • OSVersion
  • OSArch
  • Distribution
Example searches:
  • ciscoios (all field wildcard)
  • distribution:me380x (wildcard field specific)
Service Search by Service Definition name or alias. Both fields are searched by default. Field and exact search are supported:
  • ServiceName
  • ServiceAlias
Resource Search by Resource name or Command Line. Both fields are search by default. Field and exact search are supported:
  • Resource
  • CommandLine (only applicable for command type entries)
Example searches:
  • /etc/hosts (all field wildcard)
  • "/etc/hostname" (all field exact)
Tag Search by Tag, Change Request ID, or whether Issue is flagged. Field and exact search are supported:
  • Tag
  • ChangeRequestID
  • Issue (NOTE: this is a boolean field, supports true or false value)
Example Searches:
  • tag123 (all field wildcard)
  • tag:"tag123" (tag field exact match)
  • issue:"true" (search for issues)
Comment Search for entries based on comments or who left a comment.

Example searches:
  • "[email protected]" (exact search for commenter)
  • maintenance (wildcard comment or commeter)
Property This is the largest category covering other meta-data fields. Most fields are searched by default (see below). Field and exact search are supported:
  • ChangeType (new | update)
  • ValidationType (planned | unplanned | autovalidated | manualvalidated)
  • Status (success | warn | timeout | unknown)
  • Checksum
  • EntryID
  • Filetype (Resource Type: text file | large text file | binary file | directory | command | api | registry | dns | permission denied)
  • Owner (files/directories)
  • Group (files/directories)
  • Permission (files/directories)
  • Security (files/directories)
  • Attribution
  • AccessName
  • CollectorID (only field search)
  • CollectorName (only field search)
Violations Find entries with violations. All fields are searched by default. Field and exact search are supported:
  • Policy
  • Alias
  • Rule
Example searches:
  • alias:"log4shell"