Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Daniel_Kavan
Advisor

query on resource or user_group

Jump to solution

I can do a query on service:https for example, but why/how can I query on user_group: or resource:    I found if I use 'resource:PT', no results found.   However, if I just query on PT and leave the 'resource:' part out, the query returns the correct results.     Is it because not all fields are indexed?  If so, is there a way to add a field like resource or user_group to the index?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Pretty sure this information comes across via Log Exporter, though I haven't checked.

The fact you can search and find that specific result is a good sign the necessary field is indexed, there just may not be a way to refer to that specific field.

I believe the schema files are in $RTDIR/solr/configsets and you can see what fields are indexed by their internal name.
Theoretically, these can be modified as well, but we don't support this and doing so can cause a significant performance degradation.
An RFE through the local office would be required to confirm if this could be done.

Meanwhile, there is an interesting tidbit in the R81.10 EA release notes that is relevant: "The Solr functionality is replaced with a PostgreSQL database to improve the stability and performance of the Security Management Server."
Solr is used not only for logs, but for searching some parts of the Security Management database as well.
Solr will be removed in R81.10 for non-logging functions, but it will still be used for logs.
In addition, Solr was upgraded as part of R81, which led to some performance/stability improvements.

(Edited statement related to Solr removal on 24 June 2021)

View solution in original post

3 Replies
PhoneBoy
Admin
Admin

Not even clear what “resource” means in this context but you are correct not every field is indexed or can be referred to directly in a search.
Adding fields to the search index requires an RFE.
That said, the community feedback has been that R81 has additional fields indexed.

0 Kudos
Daniel_Kavan
Advisor

Is there a list where you can see what fields are indexed in R80.40 vs R81?   So, it sounds like you can't add a field to be indexed.

Resource is a field in the Forensic details along with Reason and threat Wiki.   I wonder if you do a log_export with the log_exporter toool if Resource and user_group come over.  

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure this information comes across via Log Exporter, though I haven't checked.

The fact you can search and find that specific result is a good sign the necessary field is indexed, there just may not be a way to refer to that specific field.

I believe the schema files are in $RTDIR/solr/configsets and you can see what fields are indexed by their internal name.
Theoretically, these can be modified as well, but we don't support this and doing so can cause a significant performance degradation.
An RFE through the local office would be required to confirm if this could be done.

Meanwhile, there is an interesting tidbit in the R81.10 EA release notes that is relevant: "The Solr functionality is replaced with a PostgreSQL database to improve the stability and performance of the Security Management Server."
Solr is used not only for logs, but for searching some parts of the Security Management database as well.
Solr will be removed in R81.10 for non-logging functions, but it will still be used for logs.
In addition, Solr was upgraded as part of R81, which led to some performance/stability improvements.

(Edited statement related to Solr removal on 24 June 2021)

View solution in original post