Guidelines for Field-Based Indexing

Make sure you are familiar with these guidelines before you index any fields:

Events are indexed by the fields in the “Indexed fields” list (on the Search Indexes page) and the default event metadata fields—event time, Logger event, and device address.
You can index up to 123 fields on Logger. This number includes the custom schema fields you may have added to your Logger.
Once a field has been added to the index, it cannot be undone.
Only users belonging to a System Admin Group can add fields to index.
After you add a field to the index, Logger might not immediately start indexing on that field. Therefore, allow some time between adding a field and using it in the search query. If Logger is in the process of indexing a field and you use that field to run a search query, the search performance for that operation will be slower than expected.
If an event field contains data of unexpected type (for example, a string when an integer is expected), the data is ignored. Therefore, search for that data value will not yield any results. For example, if the port field contains a value 8080A (alphanumeric) instead of 8080 (numeric), the alphanumeric value is ignored.
For faster report generation, ALL fields of a report (including the fields being displayed in the report) need to be indexed. That is, in addition to the fields in the WHERE clause of the query, the fields in the SELECT clause also need to be indexed.
For optimal search performance, make sure that event fields on ALL peers are indexed for the time range specified in a query. If an event field is indexed on a Logger but not on its peers for a specific time range, a distributed search will run slower on the Logger peers. However, it will run at optimal speed on the local Logger. Therefore, the search performance in such a setup will be slow.
Logger supports indexing of the requestUrl field. This field returns website addresses from the World Wide Web. Indexing requestUrl will return results faster, but will also significantly increase the size of your search results, which may impact your search storage capacity.