Feedback Edit

Search across long time spans in large datasets (preview)

  • Article
  • 2 minutes to read

Use a search job when you start an investigation to find specific events in logs within a given time frame. You can search all your logs, filter through them, and look for events that match your criteria.

Before you start a search job, see Start an investigation by searching large datasets (preview) and Search jobs in Azure Monitor.

Important

The search job feature is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Start a search job

Go to Search in Microsoft Sentinel to enter your search criteria.

  1. In the Azure portal, go to Microsoft Sentinel and select the appropriate workspace.

  2. Under General, select Search (preview).

  3. In the Search box, enter the search term.

  4. Select the appropriate Time range.

  5. Select the Table that you want to search.

  6. When you're ready to start the search job, select Search.

    Screenshot of search page with search criteria of administrator, timerange last 90 days, and table selected.

    When the search job starts, a notification and the job status show on the search page.

  7. Wait for your search job to complete. Depending on your dataset and search criteria, the search job may take a few minutes or up to 24 hours to complete. If your search job takes longer than 24 hours, it will time out. If that happens, refine your search criteria and try again.

View search job results

View the status and results of your search job by going to the Saved Searches tab.

  1. In your Microsoft Sentinel workspace, select Search > Saved Searches.

    Screenshot that shows saved searches tab on the search page.

  2. On the search card, select View search results.

    Screenshot that shows the link to view search results at the bottom of the search job card.

  3. By default, you see all the results that match your original search criteria.

    Screenshot that shows the logs page with search job results.

    In the search query, notice the time columns referenced.

    • TimeGenerated is the date and time the data was ingested into the search table.
    • _OriginalTimeGenerated is the date and time the record was created.

  4. To refine the list of results returned from the search table, edit the KQL query.

  5. As you're reviewing your search job results, bookmark rows that contain information you find interesting so you can attach them to an incident or refer to them later.

Next steps

To learn more, see the following topics.