This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Reindexing new meta

Go to solution
GrayS
Explorer
Explorer

‎2020-07-08 04:12 PM

I've included a new meta key under index-concentrator-custom.xml to be indexed (and be searchable). Is it possible to have this meta information available for historical / old log data and not just new data? There is a doc here Rebuilding the Index which talks about reindexing, but i'm not 100% sure if it applies to new meta / modified meta. I have tried restarting the concentrator which should trigger this, and I've only got the meta since I made the change and not on old data.

Any ideas?

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
M.McGillick
Contributor Contributor
Contributor

‎2020-07-08 04:24 PM

Hello Stewart.

 

When meta is configured as "flags=Transient" it is held in memory and used by application rules or any other parsing that may occur on the Decoder, but once that parsing is complete, the meta is no longer needed and deleted. By configuring it to "flags=None", once meta processing is complete, the meta is then written to disk and can be retrieved with the corresponding call in the index-concentrator.xml or index-concentrator-custom.xml files that reside on the Concentrator.

 

Unfortunately, as there was no meta written to disk prior to you making this change, there is no way to go back and update your historical events to now have that meta indexed.

View solution in original post

0 Likes
3 REPLIES 3

Go to solution
M.McGillick
Contributor Contributor
Contributor

‎2020-07-08 04:24 PM

Hello Stewart.

 

When meta is configured as "flags=Transient" it is held in memory and used by application rules or any other parsing that may occur on the Decoder, but once that parsing is complete, the meta is no longer needed and deleted. By configuring it to "flags=None", once meta processing is complete, the meta is then written to disk and can be retrieved with the corresponding call in the index-concentrator.xml or index-concentrator-custom.xml files that reside on the Concentrator.

 

Unfortunately, as there was no meta written to disk prior to you making this change, there is no way to go back and update your historical events to now have that meta indexed.

0 Likes

Go to solution
GrayS
Explorer
Explorer
In response to M.McGillick

‎2020-07-08 04:27 PM

Bummer! Thanks for confirming. So I guess the only thing I could resort it is slow text based searching?

0 Likes

Go to solution
M.McGillick
Contributor Contributor
Contributor

‎2020-07-08 04:34 PM

Hello Stewart:

 

For the older data prior to making the change, yes. Once configured, though, RSA Netwitness is great at helping you dig through what's important versus what is just noise - Like most strong advanced SIEM systems, that usually requires understanding what you have coming in and then tuning it to how it is going to be most useful to you.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.