This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Issue - Create metakeys Using custom Feed

OmarGarciaGilio
Beginner
Beginner

‎2017-06-15 07:51 PM

Hello,

 

I need create 3 customs metakeys for use them on a custom feed. so I add this line in  "index-logdecoder-custom.xml" file (LogDecoder server) :

 

<Key description="Sede" level="IndexNone" name="tdp.sede" format="Text"/>
<Key description="Ciudad" level="IndexNone" name="tdp.ciudad" format="Text"/>
<Key description="Tipo Red" level="IndexNone" name="tdp.red" format="Text"/>

 

And this lines in "/etc/netwitness/ng/index-concentrator-custom.xml" file (Concentrator server) :

 

<Key description="Sede" level="IndexValues" name="tdp.sede" format="Text" valueMax="10000" defaultAction="Closed"/>
<Key description="Ciudad" level="IndexValues" name="tdp.ciudad" format="Text" valueMax="10000" defaultAction="Closed"/>
<Key description="Tipo Red" level="IndexValues" name="tdp.red" format="Text" valueMax="10000" defaultAction="Closed"/>

 

But on 'Investigate' I see no index values

 

01.png

 

So, any ideas why I don't get IndexValues?

0 Likes
5 REPLIES 5

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-06-15 07:55 PM

You also need to add those keys to the table map custom file on the log decoder

0 Likes

GuyBruneau
Frequent Contributor
Frequent Contributor

‎2017-06-16 07:59 AM

After adding new keys to the Concentrator/Broker, you need to restart the nwconcentrator/nwbroker service for those keys to be indexed. Those keys usually don't need to be added to a logdecoder/packet decoder if the feed are creating them.

0 Likes

OmarGarciaGilio
Beginner
Beginner

‎2017-06-16 12:57 PM

Well I restarted again "nwlogdecoder", "nwconcentrator" and "nwbroker" services, but there is not changes. So, I added this lines on "table-map-custom" file (LogDec)

 

<mapping envisionName="tdp_sede" nwName="tdp.sede" flags="None"/>
<mapping envisionName="tdp_ciudad" nwName="tdp.ciudad" flags="None"/>
<mapping envisionName="tdp_red" nwName="tdp.red" flags="None"/>

 

And then restarted the services again, but there's not change. So I can't figure out what I'm doing wrong.

0 Likes

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2017-06-16 01:33 PM

You're going to kick yourself for this one, the issue is so simple...

Your index-concentrator-custom.xml entries:

<Key description="Sede" level="IndexValues" name="tdp.sede" format="Text" valueMax="10000" defaultAction="Closed"/>
<Key description="Ciudad" level="IndexValues" name="tdp.ciudad" format="Text" valueMax="10000" defaultAction="Closed"/>
<Key description="Tipo Red" level="IndexValues" name="tdp.red" format="Text" valueMax="10000" defaultAction="Closed"/>

 

What they should be:

<key description="Sede" level="IndexValues" name="tdp.sede" format="Text" valueMax="10000" defaultAction="Closed"/>
<key description="Ciudad" level="IndexValues" name="tdp.ciudad" format="Text" valueMax="10000" defaultAction="Closed"/>
<key description="Tipo Red" level="IndexValues" name="tdp.red" format="Text" valueMax="10000" defaultAction="Closed"/>

 

"Key description" should be all lowercase "key description"  the Capital line is not even recognized by the system and is bypassed.

 

 

Remember to "push" this file to ALL other concentrators after editing it.

 

Please note, that after changing any Indexing on the concentrators, you must do these steps (in order) to have them properly applied in the UI

restart nwconcentrator (or use UI to restart each concentrator), wait for the service to complete the restart before proceeding.

restart nwbroker (or use UI to restart the brokers, if you have Tiered brokers, do the ones that consume from the concentrators first, then move up the Tier to the top.

restart jettysrv (If you are adding or changing index levels on ANY keys, this needs to be done, as Jetty pulls the index settings from the concentrators.

OmarGarciaGilio
Beginner
Beginner
In response to JohnSnider

‎2017-06-16 03:59 PM

Thanks a lot, now it works.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.