Creating a new quick query
A quick query is a full-text search of the audit store database for a simple string or keyword. With a quick query, you can start typing the search string and see a list of potential matches from which you can select an item to look for sessions that contain the item. You should use quick queries when you want to find sessions based on a simple text string, such as a captured input or output, or based on a particular attributes, such as a user name or application, rather than using complex expressions.
To create a new quick query:
- Open Audit Analyzer, select Audit Sessions, right-click, then select New Quick Query.
- Type a search string into the search field.
As you type, the Quick Query displays a list of possible matches that start with the text you are typing. For example, if you start typing the string “da” as the search term, the Quick Query list displays captured commands such as
dadebugas potential matches:
If a text string in the list is what you are looking for, select it. By default, the query will search for sessions that contain all of the text specified. If you want to search for any portion of the text specified, select Find sessions containing ANY instead of ALL of the search terms.
- Click Find to display the matching logon sessions in the right pane.
Searching for a specific string
If you want to search for a specific string, you can enclose the command line string with quotation marks. For example, you can type “
dacontrol ‑i” to only return sessions that captured
dacontrol with the
-i option. If you type the same search string without quotation marks and select Find sessions containing ANY instead of ALL of the search terms, the quick query will return sessions that include
dacontrol with and without the
Modifying a quick query
You can edit a quick query by selecting the query in the left pane, right-clicking, then selecting Properties. You can change the name and add a description on the General tab. Click the Definition tab to change the query text.