This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Solar Winds LEM filter size

Solar Winds Security Filters Size

Hello!

I am working with LEM, and we are trying to filter logs by DetectionIP (connector IP address) in the historical events tab.

I am specifically trying to filter out certain DetectionIPs (connectors) that are creating a lot of noise (when it comes to logs) so that I can look at some of the quieter connectors on our network and verify that they are still working properly.

The LEM has a limit to the number of detections it can export (using a CSV file) which makes it difficult for us to track which connectors are properly working since the noisy connectors end up filling most of the export.

Generally, if you want to filter out certain specific DetectionIPs you would input DetectionIP != "192.168.1.1" into the filter bar, and I was considering stacking these "DetectionIP !=" statements together (using AND statements).

The absolute limit for a query size (according to supporting documentation) is 10,000 characters which would limit the filter to about 303 statements which would likely help, but I am concerned it could overload our system.

About 200 of the noisy connectors have already been tracked as working properly, so I would need to create a query that would exclude about 200 IPs using the DetectionIP != statements.

Please let me know if you think I am missing something here and if you think there is a better way to handle this.

Please let me know if you have any additional questions!