This report shows the metakeys that have reached their "valueMax" setting in the index of the Concentrators or Archivers. The purpose of this report is to show which metakeys you need to increase their "valueMax" setting to accommodate all the unique values that it will receive within its index slice. Read more about the "valueMax" in the RSA Link Posting Core DB: Index Customization .
This report ran daily can catch the "ValueMax Has Been Reached" condition in the last 24 hours. This report also can give you the times when the metakey had reached this condition. The example below demonstrates how the "ValueMax" reached issue looks when you encounter it.
You are working on an investigation and you need to find a particular host "somejunkhost" in the alias.host metakey. You start out with your Investigation window, set your date range for one month, and open the metakey "Hostname alias" (alias.host). You locate the "somejunkhost" in the Investigation window and you see something like this:
host7 (418000) - host4 (50500) - host5 (30567) - somejunkhost (2052) - host1 (1400) - host17 (100)
You click on the "somejunkhost" name (Blue Text) to narrow your query and then you see something like this:
somejunkhost (1895) <---Notice the number is no longer 2052 as it should be?
When the session numbers (in green) do not maintain consistency when drilling into the metakey value (blue), this is an indication that the "ValueMax" has been reached. The 1 month query has spanned multiple index slices and one or more of those slices does not have the information for "somejunkhost" in the alias.host metakey. The information is in the metadb but not in the index. To access the information you can use another metakey, like ip.src/ip.dst or something that is directly associated with the hostname. Accessing or pivoting from those keys will make the values visible like a metakey that has been indexed with a "indexkeys" setting.
This report requires the RSA Netwitness Suite Log Parser 2.3.99
- Download the attached zip file.
- Follow the directions in the Article Reporting: Import Reports and Report Groups
- Select the zip file when prompted, there is no need to unzip the file prior to importing the Report file.
1 Report List used to exclude metakeys that you do not care about reaching the "ValueMax" setting
1 Report showing a Summary, Detailed, and a Device tabular list in the report.
3 Report Rules
These items will be imported into a Group called "Netwitness Suite" in the Report Engine.