Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Adding Filters to Improve Search Performance

When you search for event or flow information, you can improve performance by adding filters to search fields that are indexed.

The following table provides information about the fields that are indexed:

Table 1: Log Viewer and Flow Viewer Indexed Fields

JSA Tab

Indexed Filter

Log Activity tab (Events)

Username

Source or Destination IP

Destination Port

Has Identity

Device Type

Device ID

Category

Matches Custom Rule

Network Activity tab (Flows)

Application

Source or Destination IP

Destination Port

  1. Click the Log Activity tab, or the Network Activity tab.

  2. On the toolbar, click Add Filter.

  3. From the first list, select an index filter.

  4. From the second list, select the modifier that you want to use.

  5. Type or select the information for your filter. The controls that are displayed depend on the index filter that you added.

  6. Click Add Filter.

You can monitor the performance of your search by expanding the Current Statistics option on the Search page. The page displays the volume of data that loads from data files and indexes. If your search does not display a count in the index file count, then add an indexed filter to the search.

Enabling Quick Filtering

You can enable the Quick Filter property to optimize event and flow search times. You can use the Quick Filter option to search event and flow payloads by typing free text search criteria.

  1. Log in to JSA as an administrator.

  2. On the navigation menu, Click Admin.

  3. On the navigation menu, click System Configuration.

  4. Click the Index Management icon.

  5. In the Quick Search field, type Quick Filter.

  6. Select the Quick Filter property that you want to index.

    You can identify the event and flow Quick Filter properties by using the value in the Database column.

  7. On the toolbar, click Enable Index.

    A green dot indicates that the payload index is enabled.

  8. Click Save.

  9. Click OK.

    The selected Quick Filter properties are indexed.

    If a list includes event or flow properties that are indexed, these indexed property names are appended with the following text:

    [Indexed]

Related Documentation