Queries Against Archived Snapshots

You can query events from a silo in archiveDb if it was archived by Tenable Log Correlation Engine Server 6.0.6 or later. For more information, see Silo Archiving.

Tip: Use the output of archival-manager --list-snapshots to determine which Tenable Log Correlation Engine Server version archived the snapshot. For more information about archival-manager, see Tools.

When you select a date range in Tenable Security Center using the Archived view, Tenable Log Correlation Engine Server temporarily restores the archived silo into activeDb. This automated process can take several minutes. Therefore, expect a higher than usual latency for the first query against a particular archived silo. Subsequent queries should exhibit normal latency.

Switching between the Active view and Archived view in Tenable Security Center does not remove the archived silo currently occupying the temporary restore slot. For best performance, complete all desired queries against one archived silo before selecting another. For more information about event analysis in Tenable Security Center, see Event Analysis in the Tenable Security Center User Guide.