RSA Admin

Indexed fields for reports - what is the definitiative answer?

Discussion created by RSA Admin Employee on Jan 31, 2011
Latest reply on Feb 2, 2011 by RSA Admin

After watching these videos and reading the documention, one of the best practices constantly addressed is using an indexed field.  However, some of the documentation contradicts itself to various degrees.

 

In Dave Glover's video entitled "Cool Things with Reporting" (Slide 1) he mentions four indexed fields:

 

(1) Date/Time

(2) Message ID

(3) IP Address

(4) Event Category

 

In Dave's latest video on reporting entitled, "Advanced Tips and Tricks (from October 2010)" he mentions these are the four indexed fields:

 

(1) Date/Time

(2) Message ID

(3) IP Address

(4) Device Type

 

In the SCOL document entitled "RSA enVision 4.0 Quick Start for Reports" it mentions only three indexed fields (p. 35):

 

(1) Date/Time

(2) Message ID

(3) IP Address

 

Given that all three sources indicate that three of the four index fields are the same, I believe that these fields are indexed.  What about Event Category and Device Type?  I am leaning toward Device Type as the fourth indexed field.

 

Anyone know for sure which one is the fourth indexed field?  Or are there only three...or four...or even five indexed fields?

Outcomes