This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Custom Metakey

jeesfrancis
Beginner
Beginner

‎2017-12-11 01:02 AM

Hi All,

 

If i create a custom metakey in 'index-logdecoder-custom.xml' and restart the service, will it cause any issues to the existing metakeys ?  i am wondering whether RSA will read both custom decoder xml file as well as default decoder xml file. Thanks in advance.

0 Likes
4 REPLIES 4

jeffshurtliff
Administrator Administrator
Administrator

‎2017-12-11 11:23 AM

Hi Jees,

 

I have moved this thread to the RSA NetWitness Suite" data-type="space so that you can get an answer to your question.

 

You can post future questions and discussions directly to that community by clicking on the Ask a Question or Start a Discussion button on the RSA NetWitness Suite" data-type="space page.

 

netwitness_discussions-section.png

 

Thanks,
Jeff

0 Likes

Anonymous
Not applicable

‎2017-12-12 01:55 AM

Hi Jees

i am wondering whether RSA will read both custom decoder xml file as well as default decoder xml file

Yes  - that is the purpose of the design for the -custom.xml files. It allows you to make changes to the index settings to override the default settings. It also ensures your changes are not lost if RSA updates the default index file.

When creating new meta for use with log collection, you may also need to update the table-map-custom.xml file (to map metadata generated by the log parsers to your new meta) and also the event source's parser file to generate the meta. More information on the table-map.xml file can be found here: Host GS: Maintain the Table Map Files 

More information on log parsers and log collection in general can be found here: https://community.rsa.com/docs/DOC-78353  

Anonymous
Not applicable

‎2017-12-13 01:59 PM

Also, please note that in addition to what Chris Thomas stated above, the meta key should also be added to the index-concentrator-custom.xml file on the concentrators IF you plan on querying that meta.  Otherwise, the meta will be part of the sessions to review, but just not something you would query directly.

 

Chris

jeesfrancis
Beginner
Beginner
In response to Anonymous

‎2018-01-09 05:10 AM

Thanks for reply

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.