Configuring Searchable Fields in the ECS

Owned by Kevin Wu
Last updated: Jan 03, 2024
2 min read

If you want to search for UDRs with specific values in certain fields, you can configure such fields in the ECS Searchable Fields dialog (ECS Inspector → Searchable Fields button).

Searchable Fields dialog

Note!

These configurations must be made before UDRs are sent to the ECS by the ECS forwarding agent.

To configure searchable fields:

  1. In the ECS Searchable Fields dialog, Labels tab, click the  Add button at the bottom of the dialog.

    The Add Label dialog opens.

    Add Label dialog

  2. Enter a name in the Label field. Click the Add button to add the label into the Defined Field Labels list.
     

  3. Repeat the previous step for all the labels you want to add, and then click the Close button.

  4. Click the Mappings tab to map UDR fields to the different labels.

  5. Click the Add button to open the UDR Internal Format Browser.
     

  6. Select the UDR type you want and click OK (to add and close the browser) or Apply (to add more UDR types without having to reopen the browser). 

    The UDR type(s) are added in the UDR Types list.
     

  7. Select a UDR type in the UDR Types list, and double click on the UDR Field row to select a UDR Field to associate to the chosen label.

    The  Select UDR Field dialog opens.
     

  8. Select a UDR Field and click OK.

    The selected UDR Field is listed in the UDR Field row for the label.
     

  9. Repeat the previous step for all the UDR Types where you want to map UDR Fields.



  10. Click the Save button when you are finished.



    The configuration is saved, and the next time the ECS receives UDRs from an ECS forwarding agent, the configured UDR Fields are added as meta data and can later be used for making searches, see Searching the ECS.