Searching Your Data
- 12 Mar 2025
- 2 Minutes to read
- PDF
Searching Your Data
- Updated on 12 Mar 2025
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
The Security Data Lake Search page enables you to write Structured Query Language (SQL) searches against your data stored in the Security Data Lake.
This is useful for security practitioners who need to review their logs for specific events, answer questions like “Is this normal or anomalous?”, aggregate data to identify trends, or perform complex analysis to uncover hidden threats.
Navigate to the Search page
From the navigation menu, under Your Environment, click on Security Data Lake.
.png?sv=2022-11-02&spr=https&st=2025-03-19T11%3A31%3A13Z&se=2025-03-19T11%3A41%3A13Z&sr=c&sp=r&sig=Etdq6r2%2Fjc0%2F1cXtEH5%2FWrt4oK%2Bcev6Ee5I%2Bs%2BJBbdw%3D)
Overview of the Search page
.png?sv=2022-11-02&spr=https&st=2025-03-19T11%3A31%3A13Z&se=2025-03-19T11%3A41%3A13Z&sr=c&sp=r&sig=Etdq6r2%2Fjc0%2F1cXtEH5%2FWrt4oK%2Bcev6Ee5I%2Bs%2BJBbdw%3D)
The Search page for the Security Data Lake is similar to a SQL client for a relational database engine:
Table Explorer: See a list of tables that can be included in queries. Clicking a table opens a slide-out with more details about the table and its schema.
Query Window: Compose your SQL query here.
Results Window: View the results of your queries here.
Table Explorer
The Table Explorer is the best way to understand what you can search in the Security Data Lake, and how it is structured. Each entry corresponds to a table that can be included in a query. Tables correspond to your active integrations that support data lake search.
To see the available columns for a table:
.png?sv=2022-11-02&spr=https&st=2025-03-19T11%3A31%3A13Z&se=2025-03-19T11%3A41%3A13Z&sr=c&sp=r&sig=Etdq6r2%2Fjc0%2F1cXtEH5%2FWrt4oK%2Bcev6Ee5I%2Bs%2BJBbdw%3D)
Click the table name you are interested in.
A slide-out will appear with details about the table and a list of columns that you can include in queries.
To generate a sample query for a table:
Click the table name you are interested in.
A slide-out with table details will appear.
Click Query this table to generate a sample SQL query. The query will be automatically pasted into the Query Window.
Query Window
The Query Window is where you can build/compose your SQL queries. You can write them by hand or use the Table Explorer to generate a query automatically.
.png?sv=2022-11-02&spr=https&st=2025-03-19T11%3A31%3A13Z&se=2025-03-19T11%3A41%3A13Z&sr=c&sp=r&sig=Etdq6r2%2Fjc0%2F1cXtEH5%2FWrt4oK%2Bcev6Ee5I%2Bs%2BJBbdw%3D)
The Query field is where you can write your SQL query.
The Time Selector limits the date/time range upon which your query will be executed. This ensures that queries run quickly and can be adapted to run on different time periods without having to edit your original SQL query.
Click the Execute button to submit the query and get the results.
Results will automatically appear below the Query Window when available.
Results Window
After running a query, the results will be displayed at the bottom of the page below the Execute button.
.png?sv=2022-11-02&spr=https&st=2025-03-19T11%3A31%3A13Z&se=2025-03-19T11%3A41%3A13Z&sr=c&sp=r&sig=Etdq6r2%2Fjc0%2F1cXtEH5%2FWrt4oK%2Bcev6Ee5I%2Bs%2BJBbdw%3D)
If the query execution was successful, you will see the results displayed in tabular form.
If the query was unable to be executed (for example, if there was a syntax error, ambiguous schema reference, invalid SQL, etc.) you will see an error message explaining why.
What is searchable?
Integrations that support SQL querying will be marked as “Searchable” under the Data Is column on the Integrations page. This includes Security Data Lake Syslog and Zscaler integrations. Refer to those integrations pages to learn more about what fields are available to query.
What queries are allowed?
The Security Data Lake Search page is read-only, so Data Manipulation Language (DML) like INSERT, UPDATE, or DELETE is not valid. Similarly, Data Definition Language (DDL) like CREATE, ALTER, or DROP is not valid.
SELECT statements are valid, and can include sub-queries and JOINs if needed. For a list of the supported built-in SQL functions and operators, refer to the official Trino documentation.
Was this article helpful?
