The RSA Incident Management (IM) service becomes unresponsive while loading a large number of alerts.
In the NetWitness UI, Incidents > Alerts, when a large number of alerts are loading, the screen is unavailable and the error message Unexpected Error: Timer already canceled is displayed.
This happens when selecting the Time Range "All Data" from the Incidents window in the NetWitness, Incidents > Alerts, when there is a large number of alerts in the Incident Management MongoDB database.
To prevent this condition, configure the Incident Management (IM) service to delete alerts and incidents older than a set number of days, to limit the number of alerts in the NetWitness Incident Management MongoDB database:
Log in to the NetWitness UI.
In the main menu, select Incidents > Configure
Click the Retention Scheduler tab.
Click the Enable data retention scheduler checkbox to enable it.
In the Retain alerts and incidents for dialog, set the number of days either by selecting from the dropdown list or manually typing a numeric value.
Reset the time range in Incident Management to avoid the timeout error message.
Verify if the IM service is running by using the command:
service rsa-im status
If the service is not running, manually start the service using the command: service rsa-im start
Log in to the NetWitness UI, and from the main menu, select Dashboard.
At the top of the page next to Default Dashboard, click the edit pad with the pencil icon, and then click Add Dashlet.
In the Type field from the dropdown, select "Incident Queue Activity", then limit the Time Range to a small value, such as "Last 1 Hour", click Add.
Verify that the Incident Queue Activity dashlet is loaded. It should be similar to the following example image: