000032469 - How to index RSA Security Analytics event.time meta if its required

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support on Jan 23, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000032469
Applies ToRSA Product Set: RSA Security Analytics 
RSA Product/Service Type: Packet Decoder, Log Decoder, Concentrator, Archiver, SA Server
RSA Version/Condition: 10.4.x,10.5.x,10.6.x
IssueHow to index event.time meta if it is required.
ResolutionTechnically it is possible to index event.time, but it creates problems with the index because having unique values created in your index will grow it massively, leading to performance issues as well as other side effects.  However, you can still make use of the event.time meta in your reports when in the *select* clause (index is used only if you need something in the *where* clause). 
If you need to index, then do it as IndexKey instead of IndexValues.  For example,

<key description="Event Time" format="TimeT" level="IndexKey" name="event.time" valueMax="0" />