![]() The retention values should reflect the time spans that the users or security operators are typically searching. Note: Administrators who want to retain payload indexes longer than the default value should be aware that extra disk space that will be used to retain the index for a longer time period. The default Payload Index Retention period is 30 days, the minimum is 1 day, and the maximum is 2 years. ![]() To adjust the Payload Index Retention settings from Console:ģ) Locate the Database Settings section and adjusting the retention period.Ĥ) Set the Payload Index Retention only to the timeframe typically searched, as Payload Indexes do use extra disk. Payload Indexes created that are outside the Payload Index Retention are removed overnight.įigure 1: Utilizing the quick filter, we are able to search 267 MB of data in just over one second. Subsequent searches against the same data, done within the same day are quicker, as the appliance can use the newly created Payload Indexes. If a Payload Index does not exist for the timeframe being searched, QRadar will create a Payload Index for all data, contained within the time frame, which will cause this initial search to take longer to complete. The Quick Filter requires a Payload Index was created, when data was first received by QRadar to work efficiently. If the quick filter is used with other search parameters, the quick filter runs first, and the remaining search parameters are leveraged to further filter the results. The Quick filter works similar to a 'Google-style' search where you can add in one or more terms, or use regular expressions. The Quick Filter is a search bar that is displayed on both the Log Activity and Network Activity tab in QRadar and is one of the fastest methods for searching event or flow data.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |