This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Test Rule stuck on loading

Go to solution
YossiNagar
Beginner
Beginner

‎2017-06-15 02:45 AM

Hi,

 

I'm trying to test some rules i'm building to see the results, but once i'm run ning the rule it's loading forever and not presenting any results. The system even not returning message like "No Results".

 

Will appreciate any help.

Thanks,

Yossi.

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
SravanKoneti1
Beginner
Beginner
In response to YossiNagar

‎2017-06-15 03:49 AM

Hi Yossi,

 

Default meta keys are already defined in table-map.xml in logdecoder.

 

1. Please check whether you are getting logs from device you want to query.

2. If logs are coming, do you see meta values in the investigation page.

3. If you don't see meta values for specific meta keys, check parsing for that meta keys.

4. If parsing is problem, either you reach out support for parser update or build your own custom parser using ESI tool: RSA NetWitness ESI Tool Downloads .

5. If parsing works for meta key, then you may need to define in table-map-custom.xml and index-concentrator-custom.xml using https://community.rsa.com/docs/DOC-45327  steps.

View solution in original post

4 REPLIES 4

Go to solution
SravanKoneti1
Beginner
Beginner

‎2017-06-15 03:05 AM

Hi Yossi,

 

Looks like you don't have meta values for what you are trying in reports.

 

First, Please run queries in the investigation for the meta values using Investigation: Query Data in Navigate View for the duration.

 

If data shown in investigation page, same data can be shown for same duration in Report->Rules output.

Go to solution
YossiNagar
Beginner
Beginner
In response to SravanKoneti1

‎2017-06-15 03:15 AM

Hi Sravan,

 

Looks like you're right..

If so, how can i import meta values to the system. Shluld i add to the Custom-xml file in the Decoder?

0 Likes

Go to solution
SravanKoneti1
Beginner
Beginner
In response to YossiNagar

‎2017-06-15 03:49 AM

Hi Yossi,

 

Default meta keys are already defined in table-map.xml in logdecoder.

 

1. Please check whether you are getting logs from device you want to query.

2. If logs are coming, do you see meta values in the investigation page.

3. If you don't see meta values for specific meta keys, check parsing for that meta keys.

4. If parsing is problem, either you reach out support for parser update or build your own custom parser using ESI tool: RSA NetWitness ESI Tool Downloads .

5. If parsing works for meta key, then you may need to define in table-map-custom.xml and index-concentrator-custom.xml using https://community.rsa.com/docs/DOC-45327  steps.

Go to solution
YossiNagar
Beginner
Beginner
In response to SravanKoneti1

‎2017-06-15 04:04 AM

Perfect!

Thank you vety much

© 2022 RSA Security LLC or its affiliates. All rights reserved.