Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000032469 - How to index RSA Security Analytics event.time meta if its required

Document created by RSA Customer Support

on Jun 30, 2016•Last modified by RSA Customer Support on Jan 23, 2018

Version 3Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000032469
Applies To	RSA Product Set: RSA Security Analytics RSA Product/Service Type: Packet Decoder, Log Decoder, Concentrator, Archiver, SA Server RSA Version/Condition: 10.4.x,10.5.x,10.6.x
Issue	How to index event.time meta if it is required.
Resolution	Technically it is possible to index event.time, but it creates problems with the index because having unique values created in your index will grow it massively, leading to performance issues as well as other side effects. However, you can still make use of the event.time meta in your reports when in the select clause (index is used only if you need something in the where clause). If you need to index, then do it as IndexKey instead of IndexValues. For example, <key description="Event Time" format="TimeT" level="IndexKey" name="event.time" valueMax="0" />

Attachments

Outcomes

0 Comments