I am wondering if anyone has any real world examples where they have the ability to be able to apply a single feed to already parsed data on a decoder.
The use case is that we have custom feeds that are produced and want to have them applied to all data on the decoder, not just data that has not been parsed. I understand that the only way this can be accomplished is to extract the already parsed data from the decoder to a pcap and then have it replayed back through a decoder. The main issue with this approach is that all the data being replayed would be parsed as opposed to just the single feed.
I assume what you are talking about is retroactively applying a newly added/updated feed to historical pcaps/metadata.
There is no existing functionality in NW that I know of to do that. Basically yes, you would need to do full packet replay against a whole new collection to achieve that.
However, depending on your goals/needs for doing a retroactive check there are several other possible solutions you could try that I'll suggest:
For updates to a custom feed, programatically generate a list of new elements added to the feed and then query all data for those new elements as a one-time "catch-up" operation. The query could be done automatically using NW API calls.
If there is a specific area of concern, such as a specific subnet, service or user, you can extract pcaps for just that period and then create a local collection in Investigator and import those packets. This would require adding the custom feed to your local Investigator.
Jedi Mercer's solution is excellent. I'm doing exactly that. First off, I highly recommend that you put all your feeds under version control if you haven't already. Among many other benefits this allows you to do diffs very easily,
Yes! Put custom feeds (and other customizations you do) for Netwitness under a version control system like SVN or git or whatever you prefer. Especially good if you have more than one person making updates or an automated tool adding to feeds.