See Also
To take advantage of superindexing and get the fastest search results, run an equal to (=) search, such as sourceAddress=192.0.2.0, and write the indexed search portion of your query to find uncommon values in the super-indexed fields listed in the table below.
|
deviceEventClassId |
deviceProduct |
deviceVendor |
destinationHostName |
|
destinationPort |
destinationAddress |
destinationUserId |
destinationUserName |
|
deviceAddress |
deviceHostName |
sourceHostName |
sourcePort |
|
sourceAddress |
sourceUserId |
sourceUserName |
|
Note: Unlike the indexed fields discussed in Field-Based Indexing, you cannot add to the list of super-indexed fields.
Search on super-indexed fields only using the = operator, and only AND with non-super-indexed fields for fastest search performance. Superindexes speed up searches that use the equal to (=) operator in the indexed search portion of the query expression. They have no performance impact on searches that use greater than (>), less than (<), not equal to (!=), or other operators in the indexed search portion of the query. While Logger supports full-text search, search on fields that are not super-indexed, and searches that use operators such as >, less than <, !=, and so on. Such searches may not provide the greatest search speed.
Using AND and OR with the = operator can be very powerful when searching super-indexed fields. However, to obtain the greatest search speed improvement, you must use them carefully. The table below provides examples to help you understand how to write queries that take advantage of the power of superindexing.
|
Query |
Does It Improve Search Speed? |
|---|---|
|
arcsight (full text) |
No difference. This is a full text query, and so does not take advantage of super-indexed field-search speed improvements. |
|
192.0.2.0 (full text that looks like a super-indexed field) |
No difference. While this could be an IP address, it is a full text search, not an = search against one of the super-indexed fields, and so does not take advantage of super-indexed field-search speed improvements. |
|
sourceAddress = 192.0.2.0 (= on a super-indexed field) |
The search speed is improved and the results return very quickly when there are no hits. If Logger has not encountered 192.0.2.0 as a sourceAddress, it quickly returns the message "No results were found". If it has encountered that sourceAddress, the range of events to be searched is narrowed down. |
|
sourceAddress = 192.0.2.0 OR sourceAddress = 192.0.2.2 (= using OR on super-indexed fields) |
The search speed is improved and the results return very quickly when there are no hits. If Logger has not encountered 192.0.2.0 or 192.0.2.2 as a sourceAddress, it quickly returns the message "No results were found". If it has encountered one or the other, the range of events to be searched is narrowed down. |
|
sourceAddress = 192.0.2.0 AND destinationAddress = 192.0.2.2 (= using AND on super-indexed fields) |
The search speed is improved and the results return very quickly when there are no hits. If Logger has not encountered 192.0.2.0 as a sourceAddress, it quickly returns the message "No results were found". Similarly, if Logger has not encountered 192.0.2.2 as a destinationAddress, it quickly returns the message "No results were found", even if it has encountered 192.0.2.0 as a sourceAddress. If Logger has encountered both, the range of events to be searched is narrowed down. |
|
sourceAddress != 192.0.2.0 (!= on a super-indexed field) |
No difference. Superindexing does not help with negations, so this query does not take advantage of super-indexed field-search speed improvements. |
|
sourceAddress != 192.0.2.0 OR destinationAddress= 192.0.2.2 (!= using OR on Super-indexed fields) |
No difference. Since there is a negation on the sourceAddress and this is an OR condition, this query does not take advantage of super-indexed field-search speed improvements. |
|
sourceAddress != 192.0.2.0 AND destinationAddress = 192.0.2.2 (!= using AND on Super-indexed fields) |
The search speed is improved and the results return very quickly when there are no hits. Since this is an AND condition, both conditions need to be true. Even though there is a negation on the sourceAddress, if Logger has not encountered a destinationAddress address of 192.0.2.2, this AND condition will never be satisfied. In that case, it quickly returns the message "No results were found". If Logger has encountered that destinationAddress, the range of events to be searched is narrowed down. |
|
sourceAddress = 192.0.2.0 AND arcsight (= on super-indexed field AND full text) |
The search speed is improved and the results return very quickly when there are no hits. If Logger has not encountered a sourceAddress of 192.0.2.0, this AND condition will never be satisfied. In that case, it quickly returns the message "No results were found", even though there is a full text search. If Logger has encountered that sourceAddress, the range of events to be searched is narrowed down. |
|
sourceAddress = 192.0.2.0 OR arcsight (= on super-indexed field OR full text) |
No difference. Regardless of whether Logger has encountered a sourceAddress of 192.0.2.0, the OR condition requires a full text search for "arcsight", so this query does not take advantage of super-indexed field-search speed improvements. |
|
name = "CPU Usage" AND sourceAddress = 192.0.2.0 (indexed field AND super-indexed field) |
The search speed is improved and the results return very quickly when there are no hits. Even though name is not one of the super-indexed fields, because the query uses an AND condition, Logger quickly returns the message "No results were found" if it has not encountered a sourceAddress of 192.0.2.0. If Logger has encountered that sourceAddress, the range of events to be searched is narrowed down. |
|
name = "CPU Usage" OR sourceAddress = 192.0.2.0 (indexed field OR super-indexed field) |
No difference. Even though sourceAddress is one of the super-indexed fields, because it is in an OR condition with name, which is not super-indexed, this query does not take advantage of super-indexed field-search speed improvements. |
|
sourceAddress = 192.0.2.0 AND (sourceHostName = myhost.com OR sourcePort = 80) AND (destinationAddress = 192.0.2.2 OR arcsight) (super-indexed field AND (nested OR condition) AND (nested OR condition)) |
Results return very quickly when there are no hits. If Logger has not encountered a sourceAddress of 192.0.2.0, the top level AND will never be true. It quickly returns the message "No results were found" in that case. If Logger has not encountered a sourceHostName of myhost.com AND it has not encountered a sourcePort of 80, then the OR condition will never be true. Thus the top level AND condition will never be true. It quickly returns the message "No results were found" in that case. If Logger cannot show that the above conditions are false, then there will be no difference in search speed. |