This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Filtering data in Investigator based on Decoder

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-09-21 11:09 PM

Other than viewing data based on time lines in Investigator, is there a way to pull data based on a decoder ? i.e pull and load data only  for a particular decoder in the navigate console. For example to focus on alerts , traffic from a decoder placed in a critical segment like DMZ.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-09-24 08:09 AM

What do you mean by "into the Investigator"?  You don't have to provide a timeline, you can do "All Data", which removes any time component from the query.  Of course, if you have a lot of data, it might take a while to run queries without time in the where clause.

 

I'm not sure I understand your question.  What do you mean by data?  Packets?  Or Meta?  If you want to skip the first drill which shows meta for all decoders that concentrator is aggregating from, you can Bookmark your drill for only a specific decoder and use that instead of last 24 hours.

 

The easy solution is to just have your concentrator aggregate from just one decoder, then you don't need to filter anything.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
RSAAdmin
Beginner
Beginner

‎2012-09-22 02:32 PM

To drill on data from a particular decoder, you just choose the decoder name from the Decoder Source report.

 

Scott

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-09-23 11:24 PM

Hi Scott,

 

My question was to know if its possible to get data only from a particular decoder into the Investigator and not any other data  i.e now the only option to retrieve data is to provide a timeline ,  and this gets all the data in the concentrator for that time range irrespective of the decoders connected to it and then run a report like you suggested to filter out data.

 

Even before getting meta for all the decoders , is there some way to filter before it reaches the Investigator to make the analysis more focussed.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-09-24 08:09 AM

What do you mean by "into the Investigator"?  You don't have to provide a timeline, you can do "All Data", which removes any time component from the query.  Of course, if you have a lot of data, it might take a while to run queries without time in the where clause.

 

I'm not sure I understand your question.  What do you mean by data?  Packets?  Or Meta?  If you want to skip the first drill which shows meta for all decoders that concentrator is aggregating from, you can Bookmark your drill for only a specific decoder and use that instead of last 24 hours.

 

The easy solution is to just have your concentrator aggregate from just one decoder, then you don't need to filter anything.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2012-09-24 10:22 AM

Thanks Scott,

 

"I'm not sure I understand your question.  What do you mean by data?  Packets?  Or Meta?  If you want to skip the first drill which shows meta for all decoders that concentrator is aggregating from, you can Bookmark your drill for only a specific decoder and use that instead of last 24 hours"

 

-- The above clarifies my question. By data , I meant meta of the packets in the decoder. Will try the bookmark option you suggested.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.