Search across long time spans in large datasets
Use a search job when you start an investigation to find specific events in logs up to seven years ago. You can search events across all your logs, including events in Analytics, Basic, and Archived log plans. Filter and look for events that match your criteria.
For more information on search job concepts and limitations, see Start an investigation by searching large datasets and Search jobs in Azure Monitor.
Start a search job
Go to Search in Microsoft Sentinel to enter your search criteria.
In the Azure portal, go to Microsoft Sentinel and select the appropriate workspace.
Under General, select Search.
Select the Table menu and choose a table for your search.
In the Search box, enter a search term.
Click the Run search link to open the advanced KQL editor and a preview of the results for a seven day time range.
You can modify the KQL and see an updated preview of the search results by selecting Run.
Once you're satisfied with the query and the search results preview, click on the 3 dots ... > toggle the Search job mode switch > click the Search job button.
Select the appropriate Time range.
Make sure to resolve any KQL issues indicated by a squiggly red line in the editor. When you're ready to start the search job, select Search.
Enter a new table name where the search job results will be stored > click Run a search job.
When the search job starts, wait for a notification, and the Done button to be available. Once the notification is displayed, click Done to close the search pane and return to the search overview page to view the job status.
Wait for your search job to be completed. Depending on the size of the target dataset, search times vary. While most search jobs take a few minutes to complete, searches across massive data sets that run up to 24 hours are also supported. Search jobs across certain data sets may incur extra charges. Refer to the Microsoft Sentinel pricing page for more information.
View search job results
View the status and results of your search job by going to the Saved Searches tab.
In your Microsoft Sentinel workspace, select Search > Saved Searches.
On the search card, select View search results.
By default, you see all the results that match your original search criteria.
To refine the list of results returned from the search table, click the Add filter button.
As you're reviewing your search job results, click Add bookmark, or select the bookmark icon to preserve a row. Adding a bookmark allows you to tag events, add notes, and attach these events to an incident for later reference.
Click the Columns button and select the checkbox next to columns you'd like to add to the results view.
Add the Bookmarked filter to only show preserved entries. Click the View all bookmarks button to go the Hunting page where you can add a bookmark to an existing incident.
Next steps
To learn more, see the following topics.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for