Field-Based Indexing

The field-based indexing capability allows for fields of events to be indexed. The fields are based on a predetermined schema. The Logger’s reports and the field search method utilize these indexed fields to yield significant search and reporting performance gains.

Field-based indexing for a recommended set of fields is automatically enabled at Logger initialization time. You can add more fields to an index at any time. (See To add fields to the field-based index: for instructions.) Once a field has been added, you cannot remove it.

A list of the default index fields, along with their field descriptions is available from the Logger Configuration menu. For instructions on how to view the default Logger Schema fields, see Default Fields.

Note: Micro Focus strongly recommends that you index fields that you will be using in search and report queries.

The fields created when a predefined or user-defined rex parser parses the non-CEF events cannot be indexed using the field-based indexing capability. See Parsers for more information about rex parsers.

In addition to indexing the fields included in the field-based indexing list, Logger indexes event metadata fields—event time, Logger receipt time, and device address—for every event. The event metadata fields are also known as “internal” fields.

The following fields are available for indexing. The fields that Logger starts indexing automatically after Logger initialization are indicated in bold font.

Note: Logger allows indexing of the requestUrl field. This field returns website addresses from the World Wide Web. Indexing requestUrl will return results faster, but will also significantly increase the size of your search results, which may impact your search storage capacity.

Index Fields
agentAddress	deviceCustomDate2	flexDate1Label
agentHostName	deviceCustomDate2Label	filePath
agentNtDomain	deviceCustomNumber1	flexNumber1
agentSeverity	deviceCustomNumber1Label	flexNumber1Label
agentType	deviceCustomNumber2	flexNumber2
agentZone	deviceCustomNumber2Label	flexNumber2Label
agentZoneName	deviceCustomNumber3	flexString1
agentZoneResource	deviceCustomNumber3Label	flexString1Label
agentZoneURI	deviceCustomString1	flexString2
applicationProtocol	deviceCustomString1Label	flexString2Label
baseEventCount	deviceCustomString2	message
bytesIn	deviceCustomString2Label	name
bytesOut	deviceCustomString3	priority
categoryBehavior	deviceCustomString3Label	requestClientApplication
categoryDeviceGroup	deviceCustomString4	requestContext
categoryObject	deviceCustomString4Label	requestMethod
categoryOutcome	deviceCustomString5	requestUrl
categorySignificance	deviceCustomString5Label	requestUrlFileName
categoryTechnique	deviceCustomString6	requestUrlQuery
customerName	deviceCustomString6Label	sessionId
destinationAddress	deviceEventCategory	sourceAddress
destinationDnsDomain	deviceEventClassId	sourceHostName
destinationHostName	deviceExternalId	sourceMacAddress
destinationMacAddress	deviceHostName	sourceNtDomain
destinationNtDomain	deviceInboundInterface	sourcePort
destinationPort	deviceOutboundInterface	sourceProcessName
destinationProcessName	deviceProduct	sourceServiceName
destinationServiceName	deviceReceiptTime	sourceTranslatedAddress
destinationTranslatedAddress	deviceSeverity	sourceUserId
destinationUserPrivileges	deviceVendor	sourceUserName
destinationUserId	deviceVersion	sourceUserPrivileges
destinationUserName	deviceZone	sourceZone
destinationZone	deviceZoneName	sourceZoneName
destinationZoneName	deviceZoneResource	sourcezoneResource
destinationZoneResource	deviceZoneURI	sourceZoneURI
destinationZoneURI	endTime	startTime
deviceAction	eventId	transportProtocol
deviceAddress	externalId	type
deviceCustomDate1	fileName	vulnerabilityExternalID
deviceCustomDate1Label	flexDate1	vulnerabilityURI

Index Fields

agentAddress

deviceCustomDate2

flexDate1Label

agentHostName

deviceCustomDate2Label

filePath

agentNtDomain

deviceCustomNumber1

flexNumber1

agentSeverity

deviceCustomNumber1Label

flexNumber1Label

agentType

deviceCustomNumber2

flexNumber2

agentZone

deviceCustomNumber2Label

flexNumber2Label

agentZoneName

deviceCustomNumber3

flexString1

agentZoneResource

deviceCustomNumber3Label

flexString1Label

agentZoneURI

deviceCustomString1

flexString2

applicationProtocol

deviceCustomString1Label

flexString2Label

baseEventCount

deviceCustomString2

message

bytesIn

deviceCustomString2Label

name

bytesOut

deviceCustomString3

priority

categoryBehavior

deviceCustomString3Label

requestClientApplication

categoryDeviceGroup

deviceCustomString4

requestContext

categoryObject

deviceCustomString4Label

requestMethod

categoryOutcome

deviceCustomString5

requestUrl

categorySignificance

deviceCustomString5Label

requestUrlFileName

categoryTechnique

deviceCustomString6

requestUrlQuery

customerName

deviceCustomString6Label

sessionId

destinationAddress

deviceEventCategory

sourceAddress

destinationDnsDomain

deviceEventClassId

sourceHostName

destinationHostName

deviceExternalId

sourceMacAddress

destinationMacAddress

deviceHostName

sourceNtDomain

destinationNtDomain

deviceInboundInterface

sourcePort

destinationPort

deviceOutboundInterface

sourceProcessName

destinationProcessName

deviceProduct

sourceServiceName

destinationServiceName

deviceReceiptTime

sourceTranslatedAddress

destinationTranslatedAddress

deviceSeverity

sourceUserId

destinationUserPrivileges

deviceVendor

sourceUserName

destinationUserId

deviceVersion

sourceUserPrivileges

destinationUserName

deviceZone

sourceZone

destinationZone

deviceZoneName

sourceZoneName

destinationZoneName

deviceZoneResource

sourcezoneResource

destinationZoneResource

deviceZoneURI

sourceZoneURI

destinationZoneURI

endTime

startTime

deviceAction

eventId

transportProtocol

deviceAddress

externalId

type

deviceCustomDate1

fileName

vulnerabilityExternalID

deviceCustomDate1Label

flexDate1

vulnerabilityURI