000029118 - Index level best practices in RSA Security Analytics

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029118
Applies ToRSA Product Set: RSA Security Analytics
RSA Product/Service Type: Concentrator
RSA Version/Condition: 10.3.x, 10.4.x
Platform: Platform (Other): CentOS
O/S Version: EL5, EL6
TasksRecommendation on how to use Index Level settings for better query performance from the investigation view in Security Analytics.
ResolutionThere are three levels or types of indexing: IndexNone, IndexKeys and IndexValues.
This type of custom index is not really an index at all. Custom index entries with IndexNone level exist only to define and document the meta key. IndexNone entries can be used in custom Decoder indices to enforce a specific data type for a meta key across all the parsers on a Decoder.
IndexKey is an indication that index will only keep track of sessions that contain meta items with this meta key name. However it will not index any unique values in the meta database for the meta key.
IndexValue keeps sessions that contain each individual unique values for the meta key. Compared with IndexKey it is needed for efficient processing of where clause in query/value calls. 
In the SA UI we will see significant difference on the last two. IndexKeys will always come up in a closed state, which has positive effect when rending the first investigation page.  IndexValues come with expanded state. Behind the scene, it is querying each meta keys, this has negative effect when rending the first investigation page, but speed up the drills later. 
Therefore, depending on where we see query slowness – either on the first time opening the investigation page, or the subsequent customer drilling – we can change the index key level setting to tune the performance. The recommended index level of the meta is “IndexValues.”