Recon can divide data into storage groups, which allows you to partition the incoming events data and provide different retention periods, based on the query filter. Because you can set data retention policies per storage group, you can retain certain high volume events for a short time period and other important events for longer time period.
The query filter enables you to associate a storage group with specific compliance requirements, business needs, or search activities. Recon uses the specified query filters to direct events to the correct storage group. For example, one group might have a filter for categoryDeviceGroup =/ Firewall and another for severity >= 7. If an event does not match any of the active filters, Recon sends the event to the Default Storage Group. You cannot change the name, query, or rank of this built-in group.
Recon displays a Apply Changes to System option at the top of the Storage Groups page to let you know that one or more groups have been modified but the changes need to be applied yet.
Recon allows you to have up to 10 storage groups, including the provided Default Storage Group.
Select Configuration > Storage.
Select +.
Enter a name for the storage group.
IMPORTANT:You cannot change the name after you create the group. Also, the name cannot include special characters.
Enter a query with which to filter the incoming events into this storage group.
For example, categoryDeviceGroup='/Firewall' or categoryDeviceGroup='/IDS'.
The query can include parentheses, quotes, and single quotes.
For the storage group’s status, indicate whether to activate the group.
(Optional) For Delete Data Older than, enter the age of data, in months, that you want to purge from the storage group in the database.
Select SAVE.
For efficient data retrieval, Recon matches each incoming event with the query filter for single, active storage group. However, an event could be associated with the rules of more than one group. When an event matches with multiple storage groups, Recon assigns the event to the highest ranked group. For example, if Event_29 matches the query filter for the storage groups ranked 3, 5, and 6, then Recon assigns the event to the group that is ranked 3. If an event does not match any of the active filters, Recon sends the event to the Default Storage Group.
You can change the ranking of storage groups to ensure that Recon places events in the best location.
Select Configuration > Storage.
In the Storage Information list, drag each storage group up or down to the preferred priority position.
Recon always places the Default Storage Group in the lowest ranked position.