Create or modify an event search

To create or modify an event search, complete the following steps:

  1. In Exposure Analytics, select Configure then All configurations.

  2. In the Exposure analytics section, select Entity discovery sources.

  3. Select the edit icon next to the source you want to create or modify an event search for.
  4. Enter your search using SPL. You must adhere to the Exposure Analytics field mappings. See Entity discovery field reference.
    Note: For streaming sources, you can't use the pipe ( | ) operator. For scheduled sources, event searches must result in a tabulated results set.
  5. (Optional) Test the search by selecting Open in search.
  6. (Optional) For scheduled sources, select the toggle switch to turn on Spread data processing. Then, enter a time in minutes to designate the data processing time frame. Event searches that return too many results can impact performance due to the size of the update on the KV store. If you have an event search that returns more than 200,000 results, you can spread data processing, which pushes all of the records to the KV store over a specified time frame rather than all at once. For example, if you have an event search that runs on a schedule of once per day and consistently returns more than 200,000 results, you can spread data processing over 30 minutes so that Exposure Analytics can push all of the records over a 30 minute time frame and reduce the impact on the KV store.
  7. (Optional) For scheduled sources, select the toggle switch to turn on Add custom data. If you added custom data fields to your event search, you can select this option to add that custom data to the Exposure Analytics inventories. You must define the custom fields before adding them to the inventories. See Add an additional field in Exposure Analytics.
    For example, let's say a source has a unique field called version that doesn't exist in the Exposure Analytics inventories. You can choose to add that field to an inventory so that you can track it against your assets.
    1. Select the Inventory where you want to add your custom data. For example, Asset.
    2. For the Mode, select whether you want to Merge or Overwrite the custom data. Overwriting the data means that each time the search runs, Exposure Analytics rewrites the values for each field, which removes any existing values and replaces them. Merging the data means that if a search run produces a value for a custom data field, Exposure Analytics adds it to the inventory without deleting the existing value.
    3. If you choose to overwrite the data, enter the fields that you want to overwrite.
  8. (Optional) To immediately populate custom data fields you added, select Generate summary.
  9. Select Update.

Some event searches for scheduled sources contain a mapped field called ari_lastdetect, which indicates when the record was last updated. If the ari_lastdetect field is present, Exposure Analytics uses this field as the last detection date for the source event. If there is no ari_lastdetect field, then Exposure Analytics uses the _time field from when the scheduled event search runs.