AnsweredAssumed Answered

Event.time index and search - Bad idea?

Question asked by Max Boaventura on Jul 6, 2016
Latest reply on Jul 7, 2016 by David Waugh

There are many reasons to execute a search over the event.time values (I'm talking about reporting basically).

In the last two years using the SA I've faced the same situation many times and the solutions were always provided by some king of inefficient search over the raw log.

 

After open a case I received the following answer and I can't see this as the final word. The answer is also now an article in the knowledge base (000032469 - RSA Security Analytics - How to index "event.time" meta if its required).

 

"Technically it is possible to index event.time but it create problems with the index. What happens is basically having unique values created in your index which will grow massively so leading to performance issues and a lot of other side effects. "

Following is advised to index the meta on IndexKey level that is useless in my opinion in this case.

 

What I just can't accept is the fact we are talking about the "same" time already indexed by the solution. Same I mean datatype and not the same meta.

I see the point as a DATEANDTIME/ TIMESTAMP field to the indexed. Simple like that.

 

index-concentrar.xml

       <!-- time needs to always be indexed at value level -->

        <key description="Time" format="TimeT" level="IndexValues" name="time" valueMax="0" />

Outcomes