Logo

Version 19.6.1

  • Plixer Scrutinizer - Overview
  • Deployment Guides
  • Configuration Guides
  • Use Cases
  • Features and Functionality
    • Plixer Scrutinizer web interface
      • UI overview
      • Monitor
      • Explore
        • Exporters
        • Entities
        • Search
          • Enabling host indexing
            • Resource requirements
            • Host index population from historical data
      • Investigate
      • Reports
      • Admin
      • Classic UI
    • Data aggregation
    • Machine learning
  • Advanced Services
  • Additional Resources
Scrutinizer
  • Docs »
  • Features and Functionality »
  • Plixer Scrutinizer web interface »
  • Explore »
  • Search

Search¶

The Explore > Search tab allows users to search the Plixer Scrutinizer host index to quickly verify whether or not a host has been seen on the network.

Searches can be performed for either individual hosts or pairs (host to host). Simultaneous lookups for multiple hosts or pairs are also supported.

Important

To be able to search for hosts and host pairs, the corresponding indexing feature must be enabled.

The following are the available details displayed in the search results:

  • Host

  • Traffic direction (inbound, outbound, A > B, B < A, bidirectional)

  • First and last seen timestamps

  • Exporter/source of collected data

  • Bytes in and out

  • Packets in and out

  • Flows in and out

Hint

To show fewer details in search results, click the the table button and untick the checkboxes for the columns to be hidden.

In the search results, drilling into a host will display a summary of its activity on the network. Clicking on a data source opens a tray that allows the user to quickly pivot to any supported report type.

Enabling host indexing¶

When host indexing is enabled, Plixer Scrutinizer will store records for all hosts that pass traffic on the network. Records for host pairs can also be stored (and searched through) by enabling host to host indexing as indicated below.

To enable host indexing:

  1. Navigate to Admin > Alarm Monitor > Flow Analytics Algorithms.

  2. Open the configuration tray for the Host Indexing algorithm.

  3. Add sources/inclusions for the algorithm either indvidually or using security groups.

    Hint

    Recommended inclusions for host indexing are internal/core routers, edge routers, and public IP addresses that have been assigned to IP groups.

  4. If there are sources (IP addresses/ranges, domains (by reverse DNS), IP groups, etc.) that should not be indexed, add them as exclusions.

  5. Expand the Settings secondary tray to configure the following:

    • Days of Host Index Data Retention

    • Host Index Database

    • Host Indexing Domain Socket

    • Host Index Max Disk Space

    • Host Index Sync Interval Minutes

    • Host to Host Database

    • Window Limit

  6. (Optional) Enter a database path in the Host to Host Database field to enable host pair indexing. To disable the feature, leave it blank.

  7. Use the toggle to enable the algorithm and close the tray.

Once the algorithm has been configured and enabled, users can use the Explore > Search view to search the host or host pair (if enabled) index.

Hint

If the Use Host Index option (Admin > Settings > Reporting) is enabled, only exporters that a host has been seen on will be searched when data is aggregated for a report. This can significantly reduce the time it takes to run reports.

Resource requirements¶

When host indexing is enabled, additional resources may need to be allocated to the Plixer Scrutinizer collectors as described here.

Host index population from historical data¶

If host indexing is not immediately enabled after Plixer Scrutinizer is deployed, the database can be backfilled at a later date using historical data.

To populate the host index database from historical tables, follow these steps:

  1. SSH to the Plixer Scrutinizer server as the plixer user.

  2. Stop the host index service:

    sudo systemctl stop scrutinizer-host-index

  3. Run the following to populate the database using the specified historical data tables and time range/window:

    host_index --db_config --verbose --populate_from_history --table_interval=INTERVAL_TABLE --date_start="<START_DATE_TIME>" --date_end="<END_DATE_TIME>"

    where:

    • START_DATE_TIME and END_DATE_TIME must be formatted as YYYY-MM-DD HH:MM, with the time in 24-hour format (leading zeroes should be omitted).

    • INTERVAL_TABLE is an integer that specifies the aggregation interval tables and should be set to 1, 5, or 30.

Note

  • If the time element is omitted from END_DATE_TIME, data from the end date specified will be excluded from the operation.

  • The utility can also be used to repopulate the host index database in case of data corruption. However, it is highly recommended to contact Plixer Technical Support for assistance with restoring data.

Next Previous

© Copyright 2025, Plixer, LLC.