While the release of the Unified Data Model (UDM) has given us a unified meta key foundation on which to build moving forward (awesome!), it has also opened an administrative can of worms (not so awesome...).
With these new and/or modified meta keys comes the challenge of combing through your NetWitness architecture to find all the places that the discontinued meta exist, identifying the discontinued keys that you want to change, and then actually changing them. We can’t automate this entire process yet, but we can still automate some to make our lives easier.
One of the primary places that meta keys live within NetWitness is the custom XML file that allows for tuning and adding to the default out-of-the-box meta. In the UI, these files are accessible at Admin (or Administration) → Services → <serviceName> → Config → Files:
And on disk at /etc/netwitness/ng/index-<serviceName>-custom.xml, (Log Decoders have an additional custom XML at /etc/netwitness/ng/envision/etc/table-map-custom.xml):
We could search through and update these files manually for every discontinued meta key...but frankly, that would be an enormous headache and a waste of time, which is why I put together this script to do it instead.
The script will ask whether to perform a dry run replacement or to do it for real. If run as a dry-run, you will get an output of all the discontinued meta keys that were identified within the target custom XML, as well as the new meta key that replaces it in the UDM.
If you do not choose the dry-run option, the script will give you the option to view each discontinued meta key and the corresponding new meta key and accept or deny its replacement, or to simply replace everything without any further prompts.
If the actual replacement(s) are accepted, the script will backup the original custom XML before making any changes.
Once complete, I recommend that you compare the new and original files using your diff tool or utility of choice to verify that everything proceeded without error. And as a reminder, you will need to restart the service for these changes to take effect.