NetWitness Community

Hey Tiago,

In Investigation you are querying from your Log concentrator or Broker?.

I just did the same changes in my 11.2 lab & it works fine. here are the changes & screen shot from my Investigation using Log concentrator.

Table-map-custom.xml in Log decoder:

<mapping envisionName="disposition" nwName="disposition" flags="None" format="Text" envisionDisplayName="Disposition"/>

Index-concentrator-custom-xml in Log concentrator:

<key description="Disposition" level="IndexValues" name="disposition" format="Text" valueMax="1000" defaultAction="Open"

The line in 'Table-map.xml' file will be there and it does not affect our changes, because the flag is set as 'Transient'

<mapping envisionName="disposition" nwName="disposition" flags="Transient" format="Text" envisionDisplayName="Disposition"/>

For any Meta to be indexed, flag should be set to 'None' & this is the change we are doing in 'table-map-custom.xml' file.

Ok, Can you go to Investigate->events & see if anything is parsed in 'Disposition' meta as below?.

Ok. so from that it is clear that there is not no need to update the parser & changes on decoder has taken effect.

I would suggest to do the below steps one more time to see if it resolves.

1. Restart nwlogdecoder service on the Decoder that sending logs to Concentrator.

2. Restart nwconcentrator service on the Concentrator that you are using for Investigation.

3. Wait for about 30 minutes & Inject new logs to Log decoder.

4. Go to Investigate & load the default Meta group to verify if the Disposition meta shows up.