NOTE: This feature is available only if auditing and content indexing was requested for the connection.
For more information, see Configuring the internal indexer.
You can search in the contents of the audit trails as follows:
-
From your browser: Use this method to find all the sessions containing your search query.
Enter the screen.content: expression search query in the Search query field. For example: screen.content="exit". The search returns all the sessions where exit was on the screen.
-
From the Safeguard Desktop Player application: Use this method to find the exact location of the search query within a specific audit trail.
Download the relevant audit trail, open it in the Safeguard Desktop Player application, and use the Search feature. You can also search in the contents of the audit trails for trails of graphical sessions created and indexed with One Identity Safeguard for Privileged Sessions (SPS) 6.0.
There are various ways you can refine your content query, you can:
-
use wildcards
-
use boolean expressions
-
search in the commands of terminal connections (for example, command:"sudo su")
-
search in the window titles of graphical connections (for example, title:settings)
Search query examples
The following sections provide examples for different search queries.
-
For examples of exact matches, see Searching for exact matches.
-
For examples of using boolean operators to combine search keywords, see Combining search keywords.
-
For examples of wildcard searches, see Using wildcard searches.
-
For examples of searching with special characters, see Searching for special characters.
-
For examples of fuzzy search that finds words with similar spelling, see Searching for fuzzy matches.
-
For examples of proximity search to find words that appear within a special distance, see Proximity search.
-
For examples of adjusting the relevance of a search term, see Adjusting the relevance of search terms.
For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
Searching for exact matches
By default, One Identity Safeguard for Privileged Sessions (SPS) searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
Example: Searching for exact matches
Search expression | example |
Matches | example |
Does not match |
examples example.com query-by-example exam |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
Search expression | C\:\\Windows |
Search expression on the REST API | C%5C%3A%5C%5CWindows |
Matches |
C:\Windows |
Combining search keywords
You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,
Example: Combining keywords in search
Search expression | keyword1 AND keyword2 |
Search expression on the REST API | keyword1%20AND%20keyword2 |
Matches | (returns hits that contain both keywords) |
Search expression | keyword1 OR keyword2 |
Search expression on the REST API | keyword1%20OR%20keyword2 |
Matches | (returns hits that contain at least one of the keywords) |
Search expression | keyword1 NOT keyword2 |
Search expression on the REST API | %22keyword1%20keyword2%22%20NOT%20%22keyword2%20keyword3%22 |
Matches | (returns hits that contain the first phrase, but not the second) |
Search expression | +keyword1 keyword2 |
Search expression on the REST API | %2Bkeyword1%20keyword2 |
Matches | (returns hits that contain keyword1, and may contain keyword2) |
To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".
Example: Using parentheses in search
Use parentheses to create more complex search expressions:
Search expression | (keyword1 OR keyword2) AND keyword3 |
Search expression on the REST API | %28keyword1%20OR%20keyword2%29%20AND%20keyword3 |
Matches | (returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3) |
Using wildcard searches
You can use the ? and * wildcards in your search expressions.
Example: Using wildcard ? in search
The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.
You cannot use a * or ? symbol as the first character of a search.
Search expression | example? |
Search expression on the REST API | example%3F |
Matches |
example1 examples example? |
Does not match |
example.com example12 query-by-example |
Search expression | example?? |
Search expression on the REST API | example%3F%3F |
Matches |
example12 |
Does not match |
example.com example1 query-by-example |
Example: Using wildcard * in search
The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.
Search expression | example* |
Search expression on the REST API | example%2A |
Matches |
example examples example.com |
Does not match |
query-by-example example* |
Example: Using combined wildcards in search
Wildcard characters can be combined.
Search expression | ex?mple* |
Search expression on the REST API | ex%3Fmple%2A |
Matches |
example1 examples example.com exemple.com example12 |
Does not match |
exmples query-by-example |
Searching for special characters
To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
Example: Searching for special characters
To search for a special character, use a backslash (\).
Search expression | example\? |
Search expression on the REST API | example%5C%3F |
Matches |
example? |
Does not match |
examples example1 |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
Search expression | C\:\\Windows |
Search expression on the REST API | C%5C%3A%5C%5CWindows |
Matches |
C:\Windows |
To search for a string that includes a slash character, for example, a UNIX path, you must escape the every slash with a backslash (\/).
Search expression | \/var\/log\/messages |
Search expression on the REST API | %5C%2Fvar%5C%2Flog%5C%2Fmessages |
Matches |
/var/log/messages |
Search expression | \(1\+1\)\:2 |
Search expression on the REST API | %5C%281%5C%2B1%5C%29%5C%3A2 |
Matches |
(1+1):2 |
Searching in commands and window titles
For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].
You can also combine these search queries with other expressions and wildcards, for example, title:properties AND gateway.
Example: Searching in commands and window titles
Search expression | command:sudo su |
Search expression on the REST API | command%3A%22sudo+su%22 |
Matches |
sudo su as a terminal command |
Does not match | sudo su in general screen content |
Search expression | title:settings |
Search expression on the REST API | title%3Asettings |
Matches |
settings appearing in the title of an active window |
Does not match | settings in general screen content |
To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.
Search expression | properties AND NOT title:[* TO *] |
Search expression on the REST API | properties%20AND%20NOT%20title%3A%5B%2A%20TO%20%2A%5D |
Matches |
properties appearing in the screen content, but not as a window title. |
Does not match | properties in window titles. |
You can also combine these search filters with other expressions and wildcards.
Search expression | title:properties AND gateway |
Search expression on the REST API | title%3Aproperties%20AND%20gateway |
Matches |
A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title). |
Does not match |
Screens where both properties and gateway appear, but properties is not in the window title. |
Searching for fuzzy matches
Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.
Example: Searching for fuzzy matches
Search expression | roam~ |
Search expression on the REST API | roam%7E |
Matches |
roams foam |
Proximity search
Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.
Example: Proximity search
Search expression | keyword1 keyword2 ~10 |
Search expression on the REST API | %22keyword1%20keyword2%22%7E10 |
Matches | (returns hits that contain keyword1 and keyword2 within 10 words from each other) |
Adjusting the relevance of search terms
By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.
Example: Adjusting the relevance of search terms
Search expression | keyword1^4 keyword2 |
Search expression on the REST API | keyword1%5E4%20keyword2 |
Matches | (returns hits that contain keyword1 and keyword2, but keyword1 is 4-times more relevant) |
Search expression | keyword1^5 keyword2 |
Search expression on the REST API | %22keyword1%20keyword2%22%5E5%20%22keyword3%20keyword4%22 |
Matches | (returns hits that contain keyword1 and keyword2, but keyword1 is 5-times more relevant) |