Group-By Function for Event View

[mattnewham]

I would like to see the ability to "group-by" certain elements in the event view. For example, I would often prefer to group events by message ID, regardless of where they came from. Depending on my analysis technique, I may prefer to view events this way rather than the significantly more granular "per-event" view shown by default.

I am aware I can sort-by event type, but performing a "group-by" significantly reduces the amount of lines displayed in the window and allows me to make a decision what I would prefer to look at and in what order of priority.

[djcas9]

Doing a dynamic group-by is a little difficult because each query may need to be custom for performance reasons. Have you seen the Group by unique session option under the "Filter Options" menu? This may work for the time being until something is put in place to better sort the data. A lot of limitations are due to the structure of the database schema and to keep legacy support for BASE/Barnyard it will have to stay unchanged.

[mattnewham]

Hey Dustin

The group by unique sessions feature actually works quite well and is certainly going in the right direction! Thanks for pointing that out. I will see how that works out for us. I suspect most of these issues can be solved by more efficient rule writing (flowbits, thresholding etc). I guess most of the issues I come accross are due to a signature causing an excessive number of hits due to error or development. In this case I would prefer to purge the DB as raised in other tickets on here.