NetWitness Community

yazantaleb01 · ‎2024-11-12

Hello,

Recently, I've enabled the meta key 'action' on the archiver so that I can use it to filter the results in the Investigate window, I've done that by modifying the file 'index-archiver-custom.xml', adding a new key for it.

I've applied the new changes and restarted the aggregation service which went well.

Now, whenever I try to investigate using the Archiver, I got empty results as the following screenshot:

Thanks in Advance.

JohnKisner · 3 weeks ago

@yazantaleb01 please note that the meta key 'did' is not a default key in the Archiver that is indexed. You can only use the indexed meta keys that are in the Archiver in your where clause in the reporting engine. Please go to the Archiver's Config page and look at the Meta Include column for the log decoder you are aggregating from. You'll see a little letter i in a dark circle. If you click on this you will see a list of all the meta keys that are actually being captured from the log decoder. This doesn't mean it is being indexed by the Archiver but it will at least provide a possible list of indexed meta that the Archiver actually is collecting. For instance the meta key action is a default meta. Try changing the where clause to action exists as this should return results for any log that has action meta data.

yazantaleb01 · 2 weeks ago

The problem is solved now, I had to enable indexing of all default meta keys (43) after that I was able to see the data in both Investigate page and in the reports.

Thank you so much for your help and for the advices to use reporting engine.

JohnKisner · 2 weeks ago

@yazantaleb01 I'm glad to hear it is now working for you as expected.

NetWitness Community

Investigate using Archiver Issue