This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ip.srcport is not parsing

DevarajMohan1
New Contributor
New Contributor

‎2020-04-29 03:27 AM

Hi Team,

We facing problem with ip.srcport metakey. It is not parsing proper. We have done below steps but still issue persist.

 

1) Changed value from Transient to "None" in table-map.xml in Log Decoder.

      <mapping envisionName="sport" nwName="ip.srcport" flags="None" format="UInt16" nullTokens="-|(null)|N/A" deprecated="1"/>

 

Restarted Log Decoder service

 

2) Added the below line in index-concentrator.xml after the destination port line.

 

  <key description="Destination Port" name="ip.dstport" format="UInt16" level="IndexValues" valueMax="65536" defaultAction="Closed"/>
<key description="IP Source Port" name="ip.srcport" format="UInt16" level="IndexValues" valueMax="65536" defaultAction="Closed"/>

 

 Restarted Concentrator Service.

 

 

After done all the steps still ip.srcport is not indexing and not showing in investigation tab. Please do needful.        

0 Likes
1 REPLY 1

AaqibShakeel
New Contributor New Contributor
New Contributor

‎2020-04-29 11:31 AM

Devaraj,

 

You will have to change the value in table-map-custom.xml &  index-concentrator-custom.xml as well.

Kindly refer to the below article once:

000017855 - 'Meta not available on device' is displayed in RSA NetWitness Platform investigations 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.