This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Create a new Meta Key

RenatoGoncalves
Beginner
Beginner

‎2018-09-21 09:26 AM

Hello,

 

One of my colleagues are trying to create a new meta key. In this case we are trying to create the name of a customer and with that we could distinguish all out clients data.

 

We already did:

https://community.rsa.com/thread/194442

https://community.rsa.com/docs/DOC-80195

https://app-community.rsa.com/docs/DOC-45795

 

But when we try to search our client data using the meta key customer-name it isn't possible.

 

Is there anything my colleague could do?

 

Antonio Teixeira

16 REPLIES 16

Anonymous
Not applicable

‎2018-09-21 09:31 AM

Make sure the change is on ALL concentrators. They should all have the same index-concentrator-custom.xml file. Then, I typically logout and log back in to see the meta key.

 

If you can, please share the entry for the meta key from the index-concentrator-custom.xml file.

 

Chris Ahearn

RSA | Principal Consultant | Incident Response

0 Likes

anuragsinha18
Contributor Contributor
Contributor

‎2018-09-21 01:24 PM

Did you add the entry for custom meta in  table-map-custom.xml file in log Decoder?

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-09-24 05:52 AM

Hello Christopher and Anurag

 

Yes we have made all that you said. 

 

Christopher here's the entry: 

 

index-concentrator-custom.xml é "<key description="Customer Name" format="Text" level="IndexValues" name="customer.name"/>"

table-map-custom.xml é " <mapping envisionName="customer.name" nwName="customer.name"/>"

0 Likes

anuragsinha18
Contributor Contributor
Contributor
In response to RenatoGoncalves

‎2018-09-24 08:25 AM

Hi Renato,

 

Try with the below changes and restart the nwlogdecoder and nwconcentrator services.

Table-map-custom.xml entry;

<mapping envisionName="customer.name" nwName="customer.name" flags="None"/>

 

index-concentrator-custom.xml entry;

<key description="customer name" level="IndexValues" name="customer.name" format="Text" valueMax="10000" />

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-09-24 09:21 AM

Let me try Anurag Sinha

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-09-25 02:45 AM

Hello  Anurag Sinha‌,

We tried to do how you said but it gives us an error:

pastedImage_1.png

0 Likes

anuragsinha18
Contributor Contributor
Contributor
In response to RenatoGoncalves

‎2018-09-25 04:24 AM

That seems to be error with the filter and option tried to search.  Confirm that original request to see the "customer.name" meta is resolved?

0 Likes

RenatoGoncalves
Beginner
Beginner

‎2018-09-25 04:29 AM

Sorry....but how can i confirm it? Doing a query?

0 Likes

anuragsinha18
Contributor Contributor
Contributor
In response to RenatoGoncalves

‎2018-09-25 04:42 AM

have you used that meta in any of the parser? does that meta holds any data against it? If not, querying on that will not fetch any data.

 

You can check the meta in Investigate>Manage default meta keys

 

 

pastedImage_1.png

Hope this helps

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.