This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2011-01-31 08:48 PM

Indexed fields for reports - what is the definitiative answer?

After watching these videos and reading the documention, one of the best practices constantly addressed is using an indexed field.  However, some of the documentation contradicts itself to various degrees.

 

In Dave Glover's video entitled "Cool Things with Reporting" (Slide 1) he mentions four indexed fields:

 

(1) Date/Time

(2) Message ID

(3) IP Address

(4) Event Category

 

In Dave's latest video on reporting entitled, "Advanced Tips and Tricks (from October 2010)" he mentions these are the four indexed fields:

 

(1) Date/Time

(2) Message ID

(3) IP Address

(4) Device Type

 

In the SCOL document entitled "RSA enVision 4.0 Quick Start for Reports" it mentions only three indexed fields (p. 35):

 

(1) Date/Time

(2) Message ID

(3) IP Address

 

Given that all three sources indicate that three of the four index fields are the same, I believe that these fields are indexed.  What about Event Category and Device Type?  I am leaning toward Device Type as the fourth indexed field.

 

Anyone know for sure which one is the fourth indexed field?  Or are there only three...or four...or even five indexed fields?

0 Likes
Reply
3 Replies
RSAAdmin
Beginner
Beginner
‎2011-02-01 09:03 AM

I can't identify the fourth indexed field (or the 5th Beetle for that matter), but perhaps this could be deduced from the iSQL GUI? Great detective work sleuthing out the discrepancies in the RSA materials, Brock.

David
0 Likes
Reply
RSAAdmin
Beginner
Beginner
‎2011-02-02 11:44 AM

The correct answer is the second set of fields you list. The 4 indicies are:

 

Date/Time

Device Type

Device IP Address

Message ID

 

Look at it this way:

The indexing is based on the structure of and the raw data stored in the IPDB.  The folder levels, as you go deeper, are:

Device Type

>>Device IP Address

>> >> Date-Time

At this level you will find the packages, which contain the Message IDs themselves.

 

Event Category is not an indexed field because it is an entity that requires parsing before it is known.

 

I hope that clears it up.

0 Likes
Reply
RSAAdmin
Beginner
Beginner
In response to RSAAdmin
‎2011-02-02 08:24 PM

Thanks Matt.  Explaining your answer using the IPDB allows me to understand the indexed fields much better.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.