Performing a Keyword Search on Raw Event Data
Recon adds a rawEvent field, or a subset of event fields, to a text index for use in free-form text search. Users can perform a free-form text search for values only in event fields that are indexed.
- Understanding Indexed Fields for Free-form Search
- Indexing Event Fields Before Installing the Database
- Indexing Event Fields After Installing the Database
Understanding Indexed Fields for Free-form Search
If the rawEvent field has a value, the database will tokenize the field's content and store it as indexed text. If the rawEvent field is null, search allows you to perform a full-text search on the following columns:
| agentDnsDomain | deviceCustomNumber3Label | filePermission |
| agentHostName | deviceCustomString1 | fileType |
| agentTranslatedZoneURI | deviceCustomString1Label | flexDate1Label |
| agentZoneURI | deviceCustomString2 | flexString1 |
| applicationProtocol | deviceCustomString2Label | flexString1Label |
| categoryDeviceGroup | deviceCustomString3 | flexString2 |
| categoryDeviceType | deviceCustomString3Label | flexString2Label |
| categoryObject | deviceCustomString4 | message |
| categoryOutcome | deviceCustomString4Label | name |
| categorySignificance | deviceCustomString5 | oldFileId |
| categoryTechnique | deviceCustomString5Label | oldFileName |
| cryptoSignature | deviceCustomString6 | oldFilePath |
| destinationDnsDomain | deviceCustomString6Label | oldFilePermission |
| destinationGeoLocationInfo | deviceDnsDomain | oldFileType |
| destinationHostName | deviceDnsDomain | rawEvent |
| destinationNtDomain | deviceDomain | reason |
| destinationProcessName | deviceEventCategory | requestClientApplication |
| destinationServiceName | deviceEventClassId | requestContext |
| destinationTranslatedZoneURI | deviceExternalId | requestCookies |
| destinationUserId | deviceFacility | requestMethod |
| destinationUserName | deviceHostName | requestUrl |
| destinationUserPrivileges | deviceInboundInterface | requestUrlFileName |
| destinationZoneURI | deviceNtDomain | requestUrlQuery |
| deviceAction | deviceOutboundInterface | sourceDnsDomain |
| deviceAssetId | devicePayloadId | sourceGeoLocationInfo |
| deviceCustomDate1Label | deviceProcessName | sourceHostName |
| deviceCustomDate2Label | deviceProduct | sourceNtDomain |
| deviceCustomFloatingPoint1Label | deviceSeverity | sourceProcessName |
| deviceCustomFloatingPoint2Label | deviceTranslatedZoneURI | sourceServiceName |
| deviceCustomFloatingPoint3Label | deviceVendor | sourceTranslatedZoneURI |
| deviceCustomFloatingPoint4Label | deviceVendor | sourceUserId |
| deviceCustomIPv6Address1Label | deviceZoneURI | sourceUserName |
| deviceCustomIPv6Address2Label | eventOutcome | sourceUserPrivileges |
| deviceCustomIPv6Address3Label | externalId | sourceGeoPostalCode |
| deviceCustomIPv6Address4Label | fileId | sourceGeoRegionCode |
| deviceCustomNumber1Label | fileName | sourceZoneURI |
| deviceCustomNumber2Label | filePath | transportProtocol |
Indexing Event Fields Before Installing the Database
Before installing the database, you can index event fields that would not otherwise be indexed when the rawEvent field is null. To do so, contact Support Services so they can assist you in modifying the superschema_vertica.sql file in the installer.
Indexing Event Fields After Installing the Database
After installing the database, you can index event fields that would not otherwise be indexed when the rawEvent field is null. If there are events in the database, you must drop the text index and recreate it. The reindexing process might take time, depending on the number of events in the system.