Reporting: Tune IPDB Rules

Document created by RSA Information Design and Development on Jun 26, 2017
Version 1Show Document
  • View in full screen mode
  

This topic describes how you can create rule definitions to enhance performance of reports. You can create rule definitions to enhance the performance of the reports. The following lists how you define the rules to achieve performance gains:

  • Performance gains are realized if the variables in the WHERE clause contain IPDB index variables with exact match clauses (‘=’, ‘IN).
  • Performance improvements are NOT seen when exact match clauses such as ‘LIKE’, GREATER THAN ‘>’, and LESS THAN ‘<’ operators are used with the IPDB index variables.

The sample queries in the following table help you understand the impact of the query on the performance of the reports.

                                          
Case NoWhere ClausePerformance gain expectedRemarks
1IndexedVar1 = ‘value1’ AND
UnIndexedVar2 = ‘value2’
YesIPDB filter index for the IndexedVar1 is checked to verify if ‘value1’ exists or not. If ‘value1’’ exists, the data file is read, else it is skipped. 
2UnIndexedVar2 = ‘value2’ AND
IndexedVar1 = ‘value1’
YesIPDB filter index is applied only on IndexedVar1 to check if ‘value1’ exists or not. If ‘value1’ exists, the data file is read, else it is skipped.
The order of  indexed and
unindexed variable is irrelevant.
3IndexedVar1 = ‘value1’ OR
UnIndexedVar2 = ‘value2’
NoIPDB filter index cannot decide the availability of data due to ‘OR’
operator between indexed and unindexed variable.
4IndexedVar1 = ‘value1’ OR
IndexedVar2 = ‘value2’
YesIPDB filter index will be applied on both
IndexedVar1 and IndexedVar2 to
check for ‘value1’ and ‘value2’ respectively. If any of the values exist, then the data file is read, else it is skipped.
5IndexedVar1 = ‘value1’ AND
UnIndexedVar2 LIKE ‘value%’
YesIPDB filter index is applied only on IndexedVar1 to check if ‘value1’ exists or not. If the ‘value1’ exists, the data file is read, else it is skipped.
6IndexedVar1 LIKE ‘value1%’
AND UnIndexedVar2 LIKE
‘value2%’
NoNo IPDB filter index works only with exact match clauses.
7IndexedVar1 LIKE ‘value1%’
AND UnIndexedVar2 LIKE
‘value2%’ AND IndexedVar3 =
‘value3’
YesIPDB filter index is applied only on IndexedVar3 to check if ‘value3’ exists or not. If the ‘value1’ exists, the data file is read, else it is skipped.

Some examples of the rule definitions with indexed variables are provided in this section.

Case 1 Example: Indexed variable with AND operator 

The following is an example of a query for Case 1: 

            
Case NoWhere ClausePerformance gain expectedRemarks
1.IndexedVar1 = ‘value1’ AND

UnIndexedVar2 = ‘value2’
YesIPDB filter index for the IndexedVar1 is checked to verify if ‘value1’ exists or not. If ‘value1’’ exists, the data file is read, else it is skipped. 

The query is defined to view the Destination IP addresses with a specific level value. Note that the where clause contains the indexed variable ip.dst and unindexed variable level with AND operator. 

BloomFilterRule1.png

Though the records are in millions, the report is rendered quickly using with the help of the indexed variable: 

BloomFilterResult1.png

Case 5 Example: Indexed variable with LIKE function 

The following is an example of a query for Case 5:

            
Case NoWhere ClausePerformance gain expectedRemarks
5.IndexedVar1 = ‘value1’ AND
UnIndexedVar2 LIKE ‘value%’
YesIPDB filter index is applied only on
IndexedVar1 to check if ‘value1’
exists or not. If the ‘value1’ exists, the data file is read, else it is skipped.

 The following is an example of a query to view the Source IP addresses for specific user. Note that the where clause contains the indexed variable ip.src and unindexed variable user.dst with LIKE option as mentioned in Case 5 in the table. 

BloomFilterRule7.png

Case 3 Example: Indexed variable with OR operator 

The following is an example of a query for Case 3: 

            
Case NoWhere ClausePerformance gain expectedRemarks
3.<IndexedVar1 = ‘value1’ OR
UnIndexedVar2 = ‘value2’
NoIPDB filter index cannot decide the
availability of data due to ‘OR’
operator between indexed and
unindexed variable.

The below query is defined to view the Destination IP addresses with a specific level value. Note that the where clause contains the indexed variable ip.dst and unindexed variable level with OR operator. There will be no performance gain with the below query. 

BloomFilterRule3.png

Previous Topic:Test a Rule
You are here
Table of Contents > Working with Reporting Rules > Define Rule Groups and Rules > Tune IPDB Rules

Attachments

    Outcomes