This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Simple vs Advanced Query

Anonymous
Not applicable

‎2016-09-28 05:38 PM

Do you find yourself using the simple or advanced query mode more often in the NetWitness investigation interface? Any ideas on improving the experience whether it is using the same format or including another alternative? Do you find yourself using a totally different method (search, report, dashboard...) to typically access the data? 

simple_vs_advanced.png

2 REPLIES 2

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-09-28 06:42 PM

Rarely use simple, since I can type faster than the drop-downs and populate on the screen. (especially when there are 100's of meta groups defined)

 

One improvement that is desperately needed:  When using the "simple" query, we need to limit the "meta group" list to ones that are specifically created for searching.  Need to add a checkbox in the meta-group management for "search query", those would not show up in the meta group pick list, but would be the only ones to show up in the simple query meta group list. 

 

Might want to add one of these questions for the Profile/Meta/Column groups

JoeGumke
Beginner
Beginner

‎2016-09-29 03:13 PM

I think a more robust version of regex, along without the need for users to escape characters from most of the query. Users should be able to use raw regex without having to translate it just for SA to interpret.

 

The use of referable lists is something that RSA needs to understand. Users should be able to build a list in a content interface somewhere, and this list would able to be used within a query, reporting rule, and esa rule easily. This list would be centralized within the product and users should be able to update it in one area, and not worry about updating this same list in other areas. I hate the thought of RSA keep telling customers to push app rules and feeds down when we cant manage the content in the product as of now anyway.

© 2022 RSA Security LLC or its affiliates. All rights reserved.