I think that is not correct. Meta that is IndexNone should not have an
nwindex file at all. IndexKey is 448 bytes and IndexValues will vary
depending on how many unique values there are. The actual list of
sessions associated with each key is stored ...
David Waugh is correct. If the environment is small enough you could
probably increase the max values for event.description and you will be
good to go. If you have a large environment I would avoid using
event.description in any parser. It is a gener...
If he's talking about decoder forwarding i would think it wouldn't be a
problem it should be raw... If he means time meta (ie: event.time) does
not support milliseconds, its 8 bytes that store epoch. You could try
storing time in a Text value instead...
If I'm understanding your question correctly, you can't. If you're goal
(as an example) is to say monitor for device.type AND msg.id to look for
specific events not coming it doesn't work that way. Someone can correct
me if I'm wrong, but essentially...
I would like to see support for trending multiple values. For example,
to right click on a signature meta for IPS alerts and have a different
colored line for each signature value so i can understand the breakdown
of multiple values over time. That's...
