Services Tab

This topic provides an overview of the netwitness_configureicon_24x21.png (Configure) > ESA Rules > Services tab. The Services tab shows the status of the deployments on each ESA service.

What do you want to do?

Role I want to ... Show me how
Content Expert Troubleshoot Services Tab. Troubleshoot ESA
Content Expert View deployment Stats for an ESA Service. View Stats for an ESA Service

Related Topics

Quick Look

The following figure shows the Services tab:

(This option is available in NetWitness version 11.3 and later.) If an ESA Correlation service has multiple deployments, under the service name, you will see a tab for each deployment. In the above example, there are two deployment tabs, Deployment A and Deployment B. Each tab displays information specific to that deployment.

The Services tab has the following sections:

  • ESA Services panel (on the left)
  • General Stats panel (top right)
  • Deployed Rule Stats panel (bottom right)

ESA Services Panel

The ESA Services panel lists the name of each ESA service added to NetWitness.


General Stats Panel

The General Stats panel provides information on the Esper engine, rules, and alerts.

The General Stats panel contains the following sections:

  • Engine Stats
  • Rule Stats
  • Alert Stats

​​The following figure shows the General Stats panel.

The following table lists and describes the parameters in each section.

Sections Parameter Description
Engine Stats Esper Version Esper version running on the ESA service
Time Time when the last event was sent to Esper Engine
Events Offered Number of events processed by the ESA service since the last service start
Offered Rate The rate that the ESA service processes current events / The maximum rate that the ESA service processed events.
Status Shows the status of the deployment. A status of Active means that the deployment is active. A status of Inactive means that there was probably an error starting the deployment. Check the error log file for more information: /var/log/netwitness/correlation-server/correlation-server.log.
Rule Stats Rules Enabled Number of rules enabled
Rules Disabled Number of rules disabled
Events Matched Total number of events matched to all rules on the ESA service
Alert Stats Notifications The total number of notifications sent by email, SNMP, syslog, or script for the deployment. (ESA SNMP notifications are not supported in NetWitness Platform version 11.3 and later.)
Message Bus The total number of alerts sent to Respond for the deployment

Deployed Rule Stats Panel

The Deployed Rule Stats panel provides details on the rules that are deployed on the ESA service.

​​The following figure shows the Deployed Rule Stats panel.


The table lists the various parameters in the view and their description.

Parameters Description
netwitness_ic-enable_button.png Enables a rule that was disabled.
netwitness_ic-disable_button.png Disables a rule that was enabled.
Health & Wellness link Enables you to monitor overall memory usage and health of your ESA Correlation service.

Indicates whether the rule is enabled or disabled.
A green circle icon netwitness_enable_button.png indicates that the rule is enabled.
A white circle icon netwitness_ic_disabled_icon.png indicates that the rule is disabled.

If a disabled rule has an error message, it shows netwitness_depupdicon.png in the Enabled field. Hover over the icon to view the error message tooltip. The following example shows that the rule was disabled because it exceeded the configured memory threshold for that rule.

Name Name of the ESA rule.
Rule Type (This field applies to version 11.3 and later.) Endpoint indicates a rule from the Endpoint Risk Scoring Bundle and Esper indicates Esper-specific rules, such as Rule Builder and Advanced EPL rules.
Trial Rule Indicates if the rule is running in trial rule mode.
Last Detected The last time alert was triggered for the rule.
Events Matched The total number of events that matched the rule.
Memory Usage The total amount of memory used by the rule.

Note: The Endpoint Risk Scoring Rules Bundle rules do not show memory usage.

CPU % The percentage of the deployment CPU used by the rule. For example, a deployment with 1 rule shows 100% CPU usage for that rule and a deployment with two equally CPU heavy rules show 50% each. (This field is available in version 11.5 and later.)

Note: The Endpoint Risk Scoring Rules Bundle rules do not show CPU usage.