|
| 1 | +--- |
| 2 | +title: Search across long time spans in large datasets - Microsoft Sentinel |
| 3 | +description: Learn how to use search jobs to search extremely large datasets. |
| 4 | +author: cwatson-cat |
| 5 | +ms.topic: conceptual |
| 6 | +ms.date: 01/14/2022 |
| 7 | +ms.author: cwatson |
| 8 | +--- |
| 9 | + |
| 10 | +# Search across long time spans in extremely large datasets |
| 11 | + |
| 12 | +Use search jobs when you start an investigation to find specific events in logs within a given time frame. You can search all your logs, filter through them, and look for events that match your criteria. |
| 13 | + |
| 14 | +Search in Microsoft Sentinel is built on top of search jobs. Search jobs are asynchronous queries that fetch records. The results are returned to a search table that's created in your workspace at the time of the search. The search job uses parallel processing to run the search job across long time spans in extremely large datasets. |
| 15 | + |
| 16 | +Run search jobs on any type of log. But search jobs are ideally adapted for searching logs in Log Data Archive and Basic Logs. |
| 17 | + |
| 18 | +## Start a search job |
| 19 | + |
| 20 | +1. In the Azure portal, go to **Microsoft Sentinel** and select the appropriate workspace. |
| 21 | +1. Under **General**, select **Search (preview)**. |
| 22 | +1. In the **Search** box, enter the search term. |
| 23 | +1. Select the appropriate **Time range**. |
| 24 | +1. Select the **Table** that you want to search. |
| 25 | +1. When you're ready to start the search job, select **Search**. |
| 26 | + |
| 27 | + :::image type="content" source="media/search-jobs/search-job-criteria.png" alt-text="Screenshot of search page with search criteria of administrator, timerange last 90 days, and table selected."::: |
| 28 | + |
| 29 | + When the search job starts, a notification and the job status shows on the search page. |
| 30 | + |
| 31 | +## View search job results |
| 32 | + |
| 33 | +View the status and results of your search job by going to the **Saved Searches** tab. |
| 34 | + |
| 35 | +1. In your Microsoft Sentinel workspace select **Search** > **Saved Searches**. |
| 36 | + |
| 37 | + :::image type="content" source="media/search-jobs/saved-searches-tab.png" alt-text="Screenshot that shows saved searches tab on the search page."::: |
| 38 | + |
| 39 | +1. On the search card, select **View search results**. |
| 40 | + |
| 41 | + :::image type="content" source="media/search-jobs/view-search-results.png" alt-text="Screenshot that shows the link to view search results at the bottom of the search job card."::: |
| 42 | + |
| 43 | +1. By default, you see all the results that match your original search criteria. |
| 44 | + |
| 45 | + :::image type="content" source="media/search-jobs/search-job-results.png" alt-text="Screenshot that shows the logs page with search job results."::: |
| 46 | + |
| 47 | +1. To refine the list of results returned from the search table, edit the KQL query. |
0 commit comments