Use Index Management to control database indexing on event and flow properties. To improve the speed of searches in IBM® QRadar®, narrow the overall data by adding an indexed field in your search query.
An index is a set of items that specify information about data in a file and its location in the file system. Data indexes are built in real-time as data is streamed or are built upon request after data is collected. Searching is more efficient because systems that use indexes don't have to read through every piece of data to locate matches. The index contains references to unique terms in the data and their locations. Because indexes use disk space, storage space might be used to decrease search time.
Use indexing event and flow properties first to optimize your searches. You can enable indexing on any property that is listed in the Index Management window and you can enable indexing on more than one property. When a search starts in QRadar, the search engine first filters the data set by indexed properties. The indexed filter eliminates portions of the data set and reduces the overall data volume and number of event or flow logs that must be searched. Without any filters, QRadar takes more time to return the results for large data sets.
For example, you might want to find all the logs in the past six months that match the text: The operation is not allowed. By default, QRadar stores full text indexing for the past 30 days. Therefore, to complete a search from the last 6 months, the system must reread every payload value from every event or flow in that time frame to find matches. Your results display faster when you search with an indexed value filter such as a Log Source Type, Event Name, or Source IP.
The Index Management feature also provides statistics, such as:
- The percentage of saved searches running in your deployment that include the indexed property
- The volume of data that is written to the disk by the index during the selected time frame
To enable payload indexing, you must enable indexing on the Quick Filter property.