Few of the customers are experiencing issues with respect to ESA rules after updating to 11.3.x. They are receiving similar errors as below in the correlation-server.log when deploying ESA rules with Context-Hub lists;
in
/var/log/netwitness/correlation-server/correlation-server.log of the ESA-Correlation Server
"Failed to validate subquery" .. (output truncated) .."Subqueries require one or more views to limit the stream, consider declaring a length or time window"
OR
com.espertech.esper.client.deploy.DeploymentItemException: Error starting statement: Error attaching view to event stream: Validation exception initializing virtual data window '{ContextHub_List}': Multiple entries with same key: {Key}_Incidents_datasource...
...
... (output truncated)
...
To index multiple values under a key, use Multimaps.index. [create window {ContextHub_List}.vdw:contexthub(LIST)
This could occur due to several reasons
- Presence of duplicate Context-Hub lists with the same name or lists without any values in ADMIN > Services > Context-Hub > view > Config > Lists
- Presence of duplicate values in the ds_meta collection in the contexthub-server Mongo database on the ESA-Correlation Server
- Presence of duplicate Context-Hub lists with the same name or lists without any values in ADMIN > Services > Context-Hub > view > Config > Lists
Please navigate to the Netwitness UI > ADMIN > Services > Context-Hub > view > Config > Lists and check if the lists added to your rules have values in them or if there are any duplicate lists with the same name. - Presence of duplicate values in the ds_meta collection in the contexthub-server Mongo database on the ESA-Correlation Server
Please check and identify if there are any duplicate values in the
ds_meta collection of the
contexthub-server mongo database.
- SSH to the Admin Server/Node Zero
- Login to the mongo database, deploy_admin password is required.
# mongo admin -u deploy_admin -p {deploy_admin_password}
> use contexthub-server
Check all entries with duplicated names
> db.ds_meta.find()
- Then remove the duplicates using the ID of each duplicate.
Example:
> db.ds_meta.remove({"_id" : ObjectId("5b2a608fe84959015206fbee")})
- Then SSH to the ESA-Correlation Server and restart contexthub, correlation-server services.
# systemctl restart rsa-nw-contexthub-server
# systemctl restart rsa-nw-correlation-server
- After that navigate back to the Admin Server/Node Zero.
- Login to the mongo database, deploy_admin password is required.
# mongo admin -u deploy_admin –p {deploy_admin_password}
> use sa
- Delete the metaType collection
> db.metaType.drop()
> exit
- Navigate into the Netwitness UI and refresh the schema on ESA.
Netwitness UI > Configure -> ESA Rules -> Settings (tab) -> Meta Key References and hitting the refresh button to repopulate the collection (‘metaType’ collection in ‘sa’ database)