Senior Product Designer · PayamPardaz

Designing a solution for searching in high-volume tables

A search experience for SIEM tables with billions of rows. Rather than making queries faster, I made results appear in real time so security analysts reach what they need far sooner.

Searching in high-volume tables
Role
Senior Product Designer
Team
20+ people
Duration
2018–2021
Domain
Cybersecurity (SIEM)
Overview

The data-intensive product I worked on had tables with millions to billions of rows. Searching them was slow and resource-intensive. This case study presents a solution to improve the experience of searching in high-volume tables.

A sample high-volume table with over a billion rows.
Context

The employer was a leading corporate in cybersecurity; I worked as a Senior UX Designer in a team of 20+, fixing UI/UX issues and designing new features on an enterprise web application with a highly flexible, complex interface.

The product was a SIEM (Security Information and Event Management): it centralises security logs from many sources and provides real-time monitoring, detection, and response. Every SIEM has a "Search" page for logs, and that table can hold millions or billions of rows.

A leading SIEM (Splunk), for reference.

Several user types work with the system; this case study focuses on one persona. A typical routine: on receiving a threat notification, the analyst goes to the search page to find the footprints of an intruder.

The persona this case study focuses on.
Problem

Users search and filter among billions of rows to reach specific results, using an advanced search tool above the table.

The advanced search and filtering tool.

Say an analyst suspects a threat from Estonia and searches for logs originating there.

Sample search criteria defined by the user.

Traversing a database of billions of rows takes substantial time and resources, so users could wait anywhere from minutes to hours for results.

Time-consuming

Waits ranged from minutes to hours.

Resource-intensive

Clients kept having to add resources to their servers.

What the user sees during the search process today.
Constraints

I started by understanding the limits.

More resources?

Could we ask clients to allocate additional server resources to speed up search?

Better technology?

Could we use more advanced technology, such as specialised time-series databases?

After talking with the project manager and engineering lead, neither was feasible in our circumstances. Every real-world problem comes with constraints.

User research

I was stuck on how to make search faster without upgrading technology or adding resources. Then I noticed something:

"Making search faster" is a solution, not a requirement. So what is the requirement?

To find out, I ran unsupervised observation of user behaviour in the customer's environment with nine users.

Method: unsupervised behaviour observation with 9 users.

Two observations stood out: in 95% of cases users do not find the result in their first search, and on average they run six searches before finding what they need.

Users rarely find it first try, and average six searches.

That led to the driving insight:

Users do not need all results before deciding on their next search. The goal is not a faster search, it is faster access to the final result.
First iteration

Since users run multiple searches and do not need complete results to decide the next one, my first hypothesis was a time threshold.

Run the query for a maximum of X minutes, then let the user continue it or view the results available so far.

Further discussion showed a fixed threshold only covers part of the use cases.

First hypothesis: a fixed time threshold.
Second iteration

Refining that, my second hypothesis made search real time instead of a fixed threshold.

If we show results as soon as the database finds them, the user can build their next search quickly and reach the goal faster.
Second hypothesis: stream results in real time.
Feasibility check

Was real-time retrieval technically possible? I checked with the Head of Engineering, the PM, a DevOps engineer, and the lead front-end developer. We found limits with non-streaming operators such as ORDER BY, GROUP BY, hash joins, INTERSECT, and SELECT DISTINCT, and designed around them.

Competitor audit

I analysed direct and indirect competitors for inspiration on design and approach.

Products analysed for design and approach.
Design

I sketched early ideas, then built high-fidelity mockups and an interactive prototype in Figma (re-branded for the NDA). The prototype let the team compare the current and proposed approaches side by side and feel the difference.

Evaluation

I used the prototype to present the idea, flow, and interactions to the team for validation. After small iterations, the development team implemented it with ongoing support from me, and QA tested functionality and performance.

The impact compounds: if it takes 5 searches to reach a result, each search takes 15 minutes, and the analyst can decide the next criteria from the first minute of results, the time saved is dramatic.

How the new approach changes time-to-result.

We then tested with end users:

1 · On-site

Tested with 9 users and organisations in their own environment.

2 · Real tasks

Each user ran several searches based on their daily needs.

3 · Same-day update

We updated the application for their organisation the same day.

4 · Re-run

The exact searches were performed again on the new interface.

A total of 180 searches were recorded across the two interfaces.

Outcomes

83%

Faster reaching the final result

On average, across 180 searches by 9 users.

−21%

System load on servers

On average across 9 organisations, over one month of usage (Unix load).

Challenges

The top three challenges, then a closer look at how I handled one.

Highly technical domain

The problem required deep technical knowledge of how logs are searched.

Users hard to reach

End users were not directly accessible.

Many constraints

A lot of technical and organisational constraints to weigh.

To understand the technical side and design a robust solution, I voluntarily took a Splunk course on how cybersecurity specialists search logs to uncover evidence.

I took a Splunk course to understand how analysts really search.
Learnings

The biggest lesson was the gap between the stated request and the real need.

What the user says

"Make the search faster."

What the user needs

To reach the final result sooner, which real-time results delivered without a faster query.