Decoder: search.ini Search String Syntax

Document created by RSA Information Design and Development on Jun 25, 2017Last modified by RSA Information Design and Development on Sep 25, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode
  

This topic introduces search methods and syntax for use in Search parser. 

The Search parser uses three basic search methods:

  • Keyword: Search a stream for a specific set of words.
  • Pattern: Search a stream for a regular expression match.
  • Keyword+Pattern: Search a stream for a regular expression if it contains any of a given set of key words.

Syntax

 Maxrecon=<max_size>Maxsearch=<max_ssearch_length>MatchLimit=<max_matches_per_stream Search Name Services=<service_id_list>Keywords=<keyword_list>|Pattern=<expression>Case=0|1 Proximity=<number_of_bytes>Recon=0|1 Raw=0|1

Parameters

Parameters used in this command:
 

                         
ParameterDescription
autocheckAutomatically fixes all problems without prompting
header OnlyCheck/display the header of each file
chattyDisplays a hex dump of every object in the file (huge amount of data)
dump#-#Indicates a zero-based object or range of objects in the file to output in hex to the console

Example

Following is an example of the command:

To check all NetWitness database files located in the Collection named Default. If any problems are found, the command will describe the problem and ask if you would like to fix it. 

 dbcheck C:\Documents and Settings\User\My Documents\NetWitness\ Investigations\Default\*.nw*
Previous Topic:Search Parser
You are here
Table of Contents > References > Services Config View - Files Tab > Search Parser > search.ini Search String Syntax

Attachments

    Outcomes