This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

NwConsole sdk query

Go to solution
Anonymous
Not applicable

‎2017-08-24 10:19 AM

Hi all - 

I've recently researched querying the SDK via NwConsole, and worked through a number of issues to produce a report of current Alerts. (Integrating these Alerts into our SIEM).

The problem now is that somehow I am only receiving a percentage of the total alerts.

If I load Investigator, I usually have about 40-50 meta keys populated with values in Alerts per 24 hours, but 

my NwConsole SDK query only returns about 20 of the keys.

In NwConsole I login, then open, then the query:

send /sdk query size=0 query="select * where alert exists && time='.....'" output-format=json

 

Any ideas?

 

Don

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
SravanKoneti1
Beginner
Beginner

‎2017-08-25 04:24 AM

Hi Don,

 

Your Investigator shows events for based on profile time zone. (you might have customized to your local time zone)

NwConsole shows events for UTC time zone by default.

 

Make sure your Investigator time zone UTC time zone and verify the count.

 

I have used below command to simplify the output with the count of metakey alert. (Good for comparison)

/sdk values size=100 fieldName=alert query="select * where alert exists && time='2017-08-25 00:00:00'-'2017-08-25 07:15:00'"

 

Sample output:

id1=41011775477  id2=41012591501  count=3  format=65  value=vip  type=alert  flags=0  group=0

View solution in original post

3 REPLIES 3

Go to solution
SravanKoneti1
Beginner
Beginner

‎2017-08-25 04:24 AM

Hi Don,

 

Your Investigator shows events for based on profile time zone. (you might have customized to your local time zone)

NwConsole shows events for UTC time zone by default.

 

Make sure your Investigator time zone UTC time zone and verify the count.

 

I have used below command to simplify the output with the count of metakey alert. (Good for comparison)

/sdk values size=100 fieldName=alert query="select * where alert exists && time='2017-08-25 00:00:00'-'2017-08-25 07:15:00'"

 

Sample output:

id1=41011775477  id2=41012591501  count=3  format=65  value=vip  type=alert  flags=0  group=0

Go to solution
Anonymous
Not applicable
In response to SravanKoneti1

‎2017-08-31 12:36 PM

Thanks Sravan!

 

The time zone was not the root cause.

The problem was the difference between the basic /sdk calls.

Changing my call from

/sdk query

to

/sdk values    

 

Produced the output I needed.

 

 

Saved me from opening a tech support case!

Go to solution
Anonymous
Not applicable
In response to Anonymous

‎2017-09-19 10:03 AM

Not the first time that I've been wrong.

The time parameter was the root problem.

 

My original time string was quoted like this:

(time='2017-09-08 00:00:04-2017-09-08 02:00:20')

 

yeah, I know, it's obvious.  Need to quote BOTH start time and end time separately:

 

(time='2017-09-08 00:00:04'-'2017-09-08 02:00:20')"

 

 

Thanks Sravan, and this community.

© 2022 RSA Security LLC or its affiliates. All rights reserved.