Search across long time spans in large datasets

Use a search job when you start an investigation to find specific events in logs up to seven years ago. You can search events across all your logs, including events in Analytics, Basic, and Archived log plans. Filter and look for events that match your criteria.

For more information on search job concepts, see Start an investigation by searching large datasets and Search jobs in Azure Monitor.

Start a search job

Go to Search in Microsoft Sentinel to enter your search criteria.

  1. In the Azure portal, go to Microsoft Sentinel and select the appropriate workspace.

  2. Under General, select Search.

  3. Select the Table menu and choose a table for your search.

  4. In the Search box, enter a search term.

    Screenshot of search page with search criteria of administrator, time range last 90 days, and table selected.

  5. Click the Run search link to open the advanced KQL editor and a preview of the results for a seven day time range.

    Screenshot of KQL editor with the initial search and the results for a seven day period.

  6. You can modify the KQL and see an updated preview of the search results by selecting Run.

    Screenshot of KQL editor with revised search.

  7. Once you're satisfied with the query and the search results preview, click on the 3 dots ... > toggle the Search job mode switch > click the Search job button.

    Screenshot of KQL editor with revised search with ellipsis highlighted for Search job mode.

  8. Select the appropriate Time range.

    Screenshot of KQL editor with revised search, and custom time range.

  9. Make sure to resolve any KQL issues indicated by a squiggly red line in the editor. When you're ready to start the search job, select Search.

  10. Enter a new table name where the search job results will be stored > click Run a search job.

    When the search job starts, wait for a notification, and the Done button to be available. Once the notification is displayed, click Done to close the search pane and return to the search overview page to view the job status.

  11. Wait for your search job to be completed. Depending on the size of the target dataset, search times vary. While most search jobs take a few minutes to complete, searches across massive data sets that run up to 24 hours are also supported. Search jobs across certain data sets may incur extra charges. Refer to the Microsoft Sentinel pricing page for more information.

View search job results

View the status and results of your search job by going to the Saved Searches tab.

  1. In your Microsoft Sentinel workspace, select Search > Saved Searches.

  2. On the search card, select View search results.

    Screenshot that shows the link to view search results at the bottom of the search job card.

  3. By default, you see all the results that match your original search criteria.

  4. To refine the list of results returned from the search table, click the Add filter button.

    Screenshot that shows search job results with added filters.

  5. As you're reviewing your search job results, click Add bookmark, or select the bookmark icon to preserve a row. Adding a bookmark allows you to tag events, add notes, and attach these events to an incident for later reference.

    Screenshot that shows search job results with a bookmark in the process of being added.

  6. Click the Columns button and select the checkbox next to columns you'd like to add to the results view.

  7. Add the Bookmarked filter to only show preserved entries. Click the View all bookmarks button to go the Hunting page where you can add a bookmark to an existing incident.

Next steps

To learn more, see the following topics.