How often do you use the search feature? What is your typical search use case? How important is it for you to view an unlimited number of search results?

How often do you use the search feature? What is your typical search use case? How important is it for you to view an unlimited number of search results?

When working with our customers a few use cases below are typical

• During initial agent/output deployment we will use the search function to validate functionality and ensure it seems like we are collecting all the expected data
• Some customers have long 1+ year retention and searching what we typically coin as to “raw” logs
• Quick ad-hoc searches for activity
• When going through a scoping exercise the search function is helpful for finding “spammy” events that we can exclude from the output for example

In working with our customers having unlimited results is not typical especially if the results take too long to come back. It would be helpful to have the ability because sometimes we do need more results than ten thousand. It’s especially helpful to then be able to export those results to CSV then use another tool like ChatGPT to analyze the data. So, having the ability to get more than ten thousand results would be a great feature to add, while not super common when it’s needed it would be greatly appreciated.

Hi Justin,

Thanks a lot for the detailed reply - this is exactly the kind of insight we love to see! It’s great to understand how search is used in different contexts like deployment validation, raw log analysis, and scoping.

Also, just a quick note: you can get more than 10,000 results. There’s a “Search limit” setting in the search parameters that lets you raise the cap when needed - especially handy for CSV exports and deeper analysis.

Your point about customers searching through long-retention “raw” logs is especially interesting - and honestly one of the more challenging use cases for us today. As you’ve probably noticed, searches can get quite slow when going through a number of large files. That’s because the search functionality wasn’t originally designed with that use case in mind- we expected historical queries to be handled by Access Analyzer, Threat Manager, Threat Prevention, or the customer’s SIEM. As a result, Activity Monitor doesn’t use any indexing - it simply reads and decompresses files in memory, scanning them from start to finish.

Hearing feedback like this is invaluable. It suggests this kind of usage may be more common than we anticipated, and that’s something we’ll definitely take into account going forward.

Really appreciate you taking the time to share this - your input means a lot to us.

You are welcome, glad to share our experience! Also, good call on changing the 10k limit!

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.