Trying to catch up with what the issue is here.
a few things to confirm to get back on track ...
- you have two ESA connected to the same concentrator(s)?
- looks like you have confirmed that the 'disposition' key is set as 'None' in the table-map-custom.xml file on the log decoder? make sure you DO NOT change the default xml files, they will get wiped out with an upgrade and you will lose your changes. make any edits by copying the entry from the default file and adding to the -custom.xml equivalent.
- Confirm that disposition is added to the index-concentrator-custom.xml file on your concentrators. doesnt need to be indexed more than indexNone for ESA to work but should be there so you can see it from the meta investigation. If you are seeing the key when you view meta from event analysis but not when trying to add the metakey to a metagroup then most likely its not defined on the index-concentrator.xml
- Confirm that your ESA can see that new key by going here : Admin > Service> Event Stream Analysis > Explore
- you will see a section called this: SerializedModules
- copy all the text from that box into Notepad++ (these are all the rules and keys that ESA sees)
- search for this: {"identifier": "esa.types.source","epl": (this is the section that lists all the keys that ESA sees and is aware of as well as their type
- Look for 'disposition' (in my case it looks like this - `disposition` string,)
- If all the configs are set properly you should see the key listed in that section. if you do not, restart ESA to see if it pulls in the new keys after any changes.
- If that fails, open a support case with RSA via RSA Link portal to have support help you out.
