NetWitness Community

RSAAdmin · ‎2014-08-01

Hi,

I am using netwitness REST API to fetch meta data.

and i found that operator != is not working

I am trying to pull the meta data where service is not ssl

when i try below, It is taking huge time and returning useless content with no filters a i have provided

$query .= '&&service!=443',

as a work around, i had to use below filter which worked

$query = '&&service=0-442,444-u'

$link = "http://$NW_SDK_IP/sdk?msg=values&force-content-type=text/xml&expiry=300&size=500&fieldName=$output&where=".uri_escape($query);

Can you please verify the problem and fix.

Thanks,

Uma Mahesh

RSAAdmin · ‎2014-08-04

Your "fix" may be the preferred way of doing it anyway. I find inequality comparisons against the DB to be extremely costly (resource intensive) and try to avoid them whenever possible, though they work fine in app rules and "real-time" comparisons.

I'm not a NW/SA developer, but in my experience any inequality comparison against the DB that you can rewrite into an equality comparison is probably going to be faster. I've even gone so far as to generate meta from an app rule that does the inequality comparison (i.e. name=not_rfc1918 / ip.src!=10/8,172.16/12,192.168/16), and then you can do an equality comparison against that generated meta (alert=not_rfc1918) to find the same dataset.

RSAAdmin · ‎2014-08-07

Doug is correct, his technique of using alerts in this way is highly recommended.

There was a bug in 10.3.0 - 10.3.2 that caused != to produce incorrect results for some queries, though it's resolved in the latest releases.

Anonymous · ‎2014-08-15

It's been a while but the last time I tried doing this, I had to place some of that text inside of quotes that would be passed as arguments. I have a python script that basically was designed to pull pcaps but the url construction is basically the same.

NetWitness Community

operator != not working in Netwitness REST API