NetWitness Community

Anonymous · ‎2015-07-10

Hello All, I have a question regarding the percentages used in the investigator.

I have these information shown, but the percentages doesn't add up to the amount of queries. For example, its ordered by total and sorted as Descending, query info has the most connections however it has 10% while the accept has 21%, anyone knows how it generates that percentage?

- write (2,142) - accept (>1,000 - 21%) - failed to delete pmk cache entry for station (>1,000 - 12%) drop (>1,000 - 11%) - delete directory (>1,000 - 10%) - query info (>1,000 - 10%)

Thanks.

RSAAdmin · ‎2015-07-11

So what those percentages mean is the amount of logs that you have within that time period which you have defined.

For instance, below...

The accept meta key only shows 21% of the currently available 1,000 sessions (21,000 - total) that are available during this time period you have set, which appears that you also have configured a maximum of 1,000 events to populate per meta search result.

- write (2,142) - accept (>1,000 - 21%) - failed to delete pmk cache entry for station (>1,000 - 12%) drop (>1,000 - 11%) - delete directory (>1,000 - 10%) - query info (>1,000 - 10%)

View solution in original post

RSAAdmin · ‎2015-07-11

So what those percentages mean is the amount of logs that you have within that time period which you have defined.

For instance, below...

The accept meta key only shows 21% of the currently available 1,000 sessions (21,000 - total) that are available during this time period you have set, which appears that you also have configured a maximum of 1,000 events to populate per meta search result.

- write (2,142) - accept (>1,000 - 21%) - failed to delete pmk cache entry for station (>1,000 - 12%) drop (>1,000 - 11%) - delete directory (>1,000 - 10%) - query info (>1,000 - 10%)

Anonymous · ‎2015-07-15

thank you very much!

NetWitness Community

Meaning of Percentage in Investigator