Siren Platform User Guide

3.9 Indexes and relations

Data model

In Data Model you can define relationships between your data tables, on the local Siren Elasticsearch nodes or mapped remotely to JDBC databases, and from there you will be able to create dashboards where you can have "relational pivoting" buttons (going from the set of currently selected records to the set of connected records in another table).

Operations that you can do:

  • Configure which Elasticsearch Index(es) or Virtual Index(es) you are going to have available inside Siren Investigate. With Elasticsearch indexes, you can also create new "scripted fields".
  • Define relations between these Indexes - This effectively defines a data model, also known as an ontology (this effectively makes it so that "Indexes" are now treated as "Classes" and the records can be seen as "Entities"). The ontology also specifies properties of these indexes/classes, for example icons, labels and so on.
  • Define "Entity Identifiers" - these are Classes of strings or integers you may have here and there in the data representing an entity which are "well understood as such" but you do not (yet?) have a specific index listing them. Typical Entity identifiers are things like IP Address: It is an entity (and you want to join on it) but you do not have an "index of all the IPs". Other examples are normalized phone numbers, hashfunctions, userids, name of locations or cities, tags or labels and so on.

In summary, from now on with "Classes" we will refer to either Index Patterns or EIDs and for Entities we will refer to either the individual records that are in Index Patterns or the individual EID values (for example an IP addresses)

Search results

    No results found