Data Indexer (DX) Dashboards

There are two types of dashboards that can be created within the Web Console: Event Dashboards and Data Indexer (DX) dashboards. While Event dashboards can be useful to display information about small datasets contained within the Web Console cache, a DX dashboard may be required to query larger datasets over longer periods without requiring logs to be classified as “events.”

Data Indexer dashboards are only available to users with LogRhythm SIEM version 7.20 or higher.

Refer to the Dashboards set of topics for information on managing both types of dashboards. This topic specifies differences between Event Dashboards and DX Dashboards. Management of widgets and importing and exporting dashboards remains the same for both types of dashboards.

Event Dashboards vs. Data Indexer Dashboards

Refer to this table for more information on the differences between the two types of dashboards:

Dashboard	Description
Event Dashboard	Use Event data stored in the Web Console cache. To populate a widget, the data must be available in both the Event dashboard and the cache.
Data Indexer Dashboard	Query larger datasets over longer periods without requiring logs to be classified as “events.” Uses all log data in the Data Indexer to populate widgets, providing greater dashboard flexibility. DX dashboards allow you to add up to 10 individual TopX widgets with separate queries, and visualize up to 30 days of data. DX dashboards also include a refresh setting, allowing you to determine how often the widgets on the dashboard update with new information. This timeframe can be set to as small as one minute or as large as 24 hours. Because of the potentially large datasets involved in generating DX dashboards, widgets may take an extended period of time to load depending on the size of your environment and the amount of data being requested. This can impact performance of the DX on older HDD-based models; therefore, Exabeam recommends using an SSD for all DX data. To help alleviate this issue, the number of widgets on a DX dashboard is limited to 10 or fewer. Data Indexer Dashboard filters do not support the following fields: Application Country (Origin/Impacted) Host (Origin/Impacted) Log Source Host Region (Origin/Impacted)

DX Dashboard Analyzer Grid

The Analyzer Grid displays data differently when using Data Indexer (DX) dashboards in the following ways:

1. The Analyzer Grid is blank by default. To view logs for a specific widget on a DX dashboard:

   1. Click the three-dot menu at the top-right corner of the widget.

   2. Click View logs.
      The Analyzer Grid is updated to display logs related to the selected widget. Results are static and do not automatically update.

2. To keep the Web Console running smoothly, only 200 results are displayed at a time in the Analyzer Grid for DX dashboards. More results load as you scroll through them.

While additional results require you to scroll in order to load them, the filtering of the Analyzer Grid is based on the entire result set.

3. The following fields are not available in the Analyzer Grid for DX dashboards:

   1. Application

   2. Country (Origin & Impacted)

   3. Host (Impacted) KBytes Received, Sent, and Total

   4. Last Log Date

   5. Log Source Host

   6. Region (Origin & Impacted)

   7. Rule Block

4. The following fields are not available for filtering in the Analyzer Grid for DX dashboards:

   1. Entity (Origin & Impacted)

   2. Host (Origin & Impacted)

   3. Known Host (Origin & Impacted)

   4. Log Message

   5. Zone (Origin & Impacted)

Refer to the Analyzer Grid set of topics for information on managing the Analyzer Grid for both types of dashboards. This topic specifies differences with the Analyzer Grid between Event Dashboards and DX Dashboards. Configuration of the Analyzer Grid and using the Inspector Panel remain the same between the different Dashboard types.