Investigation: Set Quantification Method and Sort Sequence of Meta Key Results

Document created by RSA Information Design and Development on Jul 22, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides a procedure for selecting the way results for each meta key are quantified and sequenced in the Investigation > Navigate view.

Each meta key section in the Investigation > Navigate view contains an ordered list of values showing each meta key value (Value) and its count (Total). You can specify whether:

  • The results in each meta key section are sorted based on Value or Total.
  • The results are sorted in ascending or descending order.
  • The values shown for each meta key are quantified by number of packets (Packet Count), number of sessions or logs (Quantify by Event Count) or by the size of events (Quantify by Event Size).

Note:  If you have both a log decoder and a packet decoder for which you are viewing the metadata, the calculation of what is actually being counted is dependent on the type of key. If you select to Quantify by Packet Count and are looking at logs, the Navigate view output is the same output as if you had selected Quantify by Event Count (see Investigation - Navigate View for details).

This image shows the Event Type meta key presented in order by Total in Descending order. The value with the greatest count of matches is presented first. The value configuration has 232 matches and is listed first. The value management has only eight matches and is presented last. The quantification method is Event Count.

SortTotDesc.png

This image shows the Event Type meta keys presented in order by Value in Descending order. The value names are presented in alphabetical order starting at the end of the alphabet. The value management  is listed first. the value authentication  is presented last. The quantification method is Event Count.

SortValDesc.png

To select the quantification method of meta key count and ordering of meta key results displayed in the Navigate view:

  1. In the toolbar, select Event Count, Event Size, or Packet Count and choose one of the quantification options in the drop-down menu. The label for the menu displays the selected option.
    INVQuantifyMn.png
    The current view is reloaded according to your selection.
  2. In the toolbar select Total or Value and choose one of the ordering methods in the drop-down menu. The label for the menu displays the selected option.
    INVOrderMn.png
    The current view is reloaded according to your selection.
  3. In the toolbar, select Ascending or Descending and choose one of the sort order options in the drop-down menu. The label for the menu displays the selected option.
    The current view is reloaded according to your selection.
    INVSortMn.png
You are here: Conduct an Investigation > Filter Information in the Navigate View > Set Quantification Method and Sort Sequence of Meta Key Results

Attachments

    Outcomes