.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
Difference between IndexValues and IndexKeys in NetWitnessWhat is the difference between IndexValues and IndexKeys when working with meta?
Resolution
The main difference between IndexValues and IndexKeys is as follows:- IndexKey:
IndexKey is an indication that index will only keep track of sessions that contain meta items with this meta key name. However it will not index any unique values in the meta database for the meta key.
- IndexValues:
IndexValue keeps sessions that contain each individual unique values for the meta key. Compared with IndexKey it is needed for efficient processing of where clause in query/value calls.
In the SA UI we will see significant difference on the last two. IndexKeys will always come up in a closed state, which has positive effect when rending the first investigation page. IndexValues come with expanded state. Behind the scene, it is querying each meta keys, this has negative effect when rending the first investigation page, but speed up the drills later.
Therefore, depending on where we see query slowness – either on the first time opening the investigation page, or the subsequent drilling – we can change the index key level setting to tune the performance. The recommended index level of the meta is “IndexValues.”
You will see the most difference is in Investigate page, where the keys with IndexKeys will always come up in a closed state regardless if there are values or not:
Product Details
NetWItness Product Set: NetWitness PlatformNetWItness Product/Service Type: Investigation, Concentrator, Decoder, LogDecoder
NetWItness Version/Condition: 11.x, 12.x
Platform: CentOS 7 / Alma
Approval Reviewer Queue
Technical approval queue