NetWitness Community

ImranAliAhmed · ‎2021-09-22

Hello Guys,

I want to decide the department.name ( new meta created) based on the alias.host value.

example.

alias.host = "IT-PC1" --> deparement.name = "IT"

alias.host = "IT-PC2" --> deparement.name = "IT"

alias.host = "FIN-PC1" --> deparement.name = "Finance".

I understand this can be done using app rules, but I have 70+ departments which requires 70+ app rules, and I can't use feed as this will need to maintain the list all the time with 1-to-1 values.

WilliamMotley1 · ‎2021-09-22

Define the departments in a table:

local known_prefixes = {
["IT"] = "IT",
["FIN"] = "Finance",
...
}

Extract and lookup department from meta:

function deptParser:onHostMeta(idx, host_meta)
local this_prefix = string.match(host_meta, "^([^%-]+)%-")
if this_prefix then
local department = known_prefixes[this_prefix]
if department then
nw.createMeta(self.keys["department"], department)
end
end
end

View solution in original post

ImranAliAhmed · ‎2021-09-22

@WilliamMotley1 I think you are the best to help here 🙂

WilliamMotley1 · ‎2021-09-22

Define the departments in a table:

local known_prefixes = {
["IT"] = "IT",
["FIN"] = "Finance",
...
}

Extract and lookup department from meta:

function deptParser:onHostMeta(idx, host_meta)
local this_prefix = string.match(host_meta, "^([^%-]+)%-")
if this_prefix then
local department = known_prefixes[this_prefix]
if department then
nw.createMeta(self.keys["department"], department)
end
end
end

ImranAliAhmed · ‎2021-09-23

Hello @WilliamMotley1 ,

Thanks for the very quick response.

Below is my full parser department.lua I added it to /etc/netwitness/ng/parsers on my log decoder:

local deptParser = nw.createParser("department_name", "Department Name")

local known_prefixes = {

    ["IT"] = "IT",
    ["FIN"] = "Finance",
   
}

deptParser:setKeys({
	nwlanguagekey.create("department.name", nwtypes.Text),
})

function deptParser:onHostMeta(idx, host_meta)
    local this_prefix = string.match(host_meta, "^([^%-]+)%-")
    if this_prefix then
        local department = known_prefixes[this_prefix]
        if department then
            nw.createMeta(self.keys["department.name"], department)
        end
    end
end


deptParser:setCallbacks({
    [nwlanguagekey.create("host.src")] = deptParser.onHostMeta,
})

It is loaded successfully but the department.name meta is not generating any values.

Can you please let me know what I am missing here.

moreover,

I want to callback on host.src, host.dst (host.all) and alias.host so when these metas are available the parser is triggered, shall I add the below to the lines to the callback

[nwlanguagekey.create("host.src")] = deptParser.onHostMeta,
[nwlanguagekey.create("host.dst")] = deptParser.onHostMeta,
[nwlanguagekey.create("alias.host")] = deptParser.onHostMeta,

Thanks.

WilliamMotley1 · ‎2021-09-23

Your parser seems fine to me. From a quick test it created meta as expected.

After uploading or modifying it, make sure to reload parsers.

You can do that from NwConsole:

/> /decoder/parsers reload

Or from the explore view of the decoder service:

1) expand"decoder"
2) right-click "parsers", select "Properties"
3) select "reload" from the drop-down menu
4) click "Send"

Restarting the Decoder service also will reload parsers.

You'll probably also want to make sure that you've indexed the meta key "department.name" to IndexKeys or IndexValues so that you can search for it. Modifying indexes requires a service restart.

WilliamMotley1 · ‎2021-09-23

And yes that is how you would add those meta callbacks. Each calling the same function is perfectly fine.

ImranAliAhmed · ‎2021-09-26

Hello @WilliamMotley1 ,

It worked!!

The issue was that host.src displays all values in lower case however the real values not necessary lower case, when I added the lowercase and uppercase ( duplicates) in known_prefixes it worked :).

Thanks a lot for your help.

NetWitness Community

Decide the department.name value ( new meta created) based on the alias.host value.