NetWitness Community

Hi Mohammed,

We have two NW. One is with 11.2 and the other is with the 11.1. My problem is with the disposition value. In the version 11.2 the concentrator got the meta key, but its not parsing the reference log ID 7036. In the version 11.1 the disposition key does't show up. I already updated the table-map.xml and the index-decoder-custom.xml and restarted both services but they are not working. What do you suggest?

UPDATE: now its working on 11.1 and its not on 11.2. And they have the same custom meta keys.

Hello Tiago,

Can you please share the custom meta key line that you have added in both table-map & index-concentrator-custom files?.

Hello Mohammed,

table-map: <mapping envisionName="disposition" nwName="disposition" flags="Transient" format="Text"/> 

index-concentrator-custom: 

<!-- *** Please insert your custom keys or modifications below this line *** -->

<key description="disposition" level="IndexValues" name="disposition" format="Text" valueMax="10000" />

Hello Mohammed,

Yes, i add this line in my table-map.xml. The line i shared is from table-map.xml.

Hi Tiago,

The best practice is not to make any changes in the default 'table-map.xml' file. Because when you upgrade your host, any changes to the default files will be replaced.

So, please copy the below line to you 'table-map-custom.xml' file & restart nwlogdecoder service with this command 'systemctl restart nwlogdecoder'.

<mapping envisionName="disposition" nwName="disposition" flags="None" format="Text"/>

Also, please check if you have added the below line in your 'index-concentrator-custom.xml' file.

<key description="disposition" level="IndexValues" name="disposition" format="Text" valueMax="10000" />

Hello Mohammed, 

Did not work, In the tab investigate the meta key "dispostion" is there but no data parsed. And we got logs that should be parsed.