Adding filters to improve search performance

When you search for event or flow information, you can improve performance by adding filters to search fields that are indexed.

About this task

The following table provides information about the fields that are indexed:

Table 1. Log viewer and flow viewer indexed fields
QRadar SIEM Tab Indexed Filter
Log Activity tab (Events) Username

Source or Destination IP

Destination Port

Has Identity

Device Type

Device ID

Category

Matches Custom Rule
Network Activity tab (Flows) Application

Source or Destination IP

Destination Port

Procedure

  1. Click the Log Activity tab, or the Network Activity tab.
  2. On the toolbar, click Add Filter.
  3. From the first list, select an index filter.
  4. From the second list, select the modifier that you want to use.
  5. Type or select the information for your filter. The controls that are displayed depend on the index filter that you added.
  6. Click Add Filter.

What to do next

You can monitor the performance of your search by expanding the Current Statistics option on the Search page. The page displays the volume of data that loads from data files and indexes. If your search does not display a count in the index file count, then add an indexed filter to the search.