This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How do I query for the oldest event in the decoder/concentrator?

DionStempfley
Occasional Contributor
Occasional Contributor

‎2017-08-15 03:17 PM

I'm trying to monitor retention and want to query my decoders and concentrators for the date of the oldest event record.  I know it's available through explore of the service but don't recall how to query it.  Can I also use the rest interface?

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
6 REPLIES 6

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-08-15 03:39 PM

What version of NW? If you’re on 10.6.3 or later, you can go to Administration --> Health and Wellness --> Sys Stats Browser and select Decoder (or Log Decoder) from the Component drop-down, then hit Apply. You will find a metric called ‘packet.oldest.file.time’ – that will be your oldest packet session on the Decoders. For Concentrator, you need to look for meta.oldest.file.time.

 

If you are on an older version of NW, you will need to go to the View -> Explore view (or http://

 

UPCOMING OUT OF OFFICE

Conference: Aug 21-24, Training: October 3-6

 

<https://community.rsa.com/welcome>

<https://community.rsa.com/welcome>

Preview file
4 KB
Preview file
3 KB

PeterLester
Beginner
Beginner
In response to NaushadKasu1

‎2017-08-15 04:05 PM

Naushad (above) has also done a brilliant eLearning and eLab available for customers for a fee and to Internals at no charge - in case you want to learn more about REST.  Use REST to pull stats, prove ROI, etc.

 

You can search Edutube for individual videos https://edutube.emc.com/html5/home.htm  (keyword REST)or sign up for the course at RSA University at https://community.rsa.com/community/training   or just watch the "teaser" on YouTube RSA NetWitness - Introduction to the REST API - YouTube 

0 Likes

DionStempfley
Occasional Contributor
Occasional Contributor
In response to NaushadKasu1

‎2017-08-15 04:10 PM

Thanks.  That got me the information I needed.  Query through  REST is still something I want, but I will look at the material that Peter suggested.  

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes

Anonymous
Not applicable
In response to DionStempfley

‎2017-08-16 12:31 AM

Look at the script on https://community.rsa.com/thread/134393 it does that and quite a few more stats. You can remove all others and keep just the one you want.

 

Hope it helps!

0 Likes

MansoorIlahiMoh
Contributor
Contributor
In response to NaushadKasu1

‎2018-08-19 09:36 AM

Hi Naushad, I'm using 11.0.1 version or RSA SA. I don't see the statistic parameter "packet.oldest.file.time" listed under Decoder/Log Decoder. Can you suggest any workaround? 

 

Thanks in advance.

 

Regards,

Mansoor Ilahi

0 Likes

NaushadKasu1
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to MansoorIlahiMoh

‎2018-08-19 01:21 PM

I’m not sure what happened to that metric, I will look into it. But if you want to see your oldest packet in your Decoder, enter this into the Statistic field in System Stats Browser... “Packet Time Begin”.

 

Sent from my iPhone

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.