NetWitness Community

Checking the SDK query status is an extremely important health check that an Administrator MUST know how to do (and frequent user for that matter).  Knowing how to quickly check the status of any given query is imperative to success in keeping the system running normally (and knowing how to resolve related 'issues' that come up).  Most often the case is not actually the system behaving poorly but rather that an under-experienced user has crafted something that has put extra stress on the system.

Since you mentioned that you are dealing with a Concentrator, you can get to these SDK query metrics by navigating to EXPLORER on the Concentrator itself.  You can do this through SA or via the Administrator thick client.  Once inside the Explorer view, expand 'sdk', then 'stats', then 'queries'.  If there are any running queries, they will show up here with a unique handle for each query. If you select a query, it will show you all of the pertinent information of that particular query (ex: 'query progress').  If you happen to have multiple queries, click through each one and observe the details of what is going on.  You may notice that a poorly constructed rule or alert is causing the system to work harder than it should. This is where it can become a challenge to manage the system if other users are not up-to-speed on formulating efficient queries / rules / alerts, etc.  This can become an ever greater challenge when you are dealing with multiple Concentrators and add in a Broker hierarchy as well (same health check process as mentioned before, just on more appliances).  It is manageable though! You just have to get comfortable doing these checks on a regular basis and before you know it you will be able to quickly diagnose a problem and start working towards a proper resolution.

As an Administrator, you'll want to learn how to view queries, kill individual queries, and how to perform other related health checks on an ad-hoc / routine basis.  There should be related documentation available to you either via the online Help docs, this Community, or possibly from your Account / Sales Engineering team. 

Hope this helps

Again, your slowness scenario could be due to a user input constraint somewhere in the system as I just ran a similar query (one hour period on Mar 25th) for a single Concentrator in my environment and the results came back extremely quick (2.75 secs).  This Concentrator is on 10.3.1

We have seen those slowness issues every now and then. Sometimes queries come very quickly. I can basically search through anything within seconds. Currently we are having issues and we have seen this before. Simple queries take minutes to accomplish.

We noticed however that some "contains" queries and similar might take all the I/O resources from the disk containing the indexDB (iostat). That can then affect to the whole system. I wonder why there have so slow disks on those RSA appliances 7,5K rpm or something.

For instance currently our systems LogHybrids are working like in slow motion movies. I/O isn't the problem. We have had these issues from the beginning. Who knows why.. re-indexing the IndexDB helped at some point (we have created our own meta-fields etc. though).

I don't know if this has something to do with the issues, we have seen (from RSA SecurCare Online - KB):

a64807 | Log Decoder Partitions in Hybrid or AIO Appliance are Not Configured Correctly