Chaitra Kulkarni

RSA NetWitness Meta Dictionary Tool

Blog Post created by Chaitra Kulkarni Employee on Nov 13, 2017

The RSA NetWitness Meta Dictionary is a tool developed for describing metadata used in RSA NetWitness Log Parsers.  The RSA NetWitness Log Decoder supports over 300+ unique log event sources.  Each log event source has a respective log parser for parsing the content of each log.  The Meta Dictionary tool describes the metadata used in each of the parsersd.


This blog post is intended to help a user understand how to use the tool so they can see the various metadata used in a parser, description of each of the metadata keys and the number of times each metadata keys appear in a parser.



 You need to download the following attachments from the blog post:

  • data.meta file
  • metadictionary.html file


Supported Browsers

  • Google Chrome version 44 or later
  • Firefox version 36 or later
  • Internet Explorer 10 or later
  • Safari version 7 or later


Viewing Meta Data Definitions

  Once you open metadictionary.html file in a browser you will see something similar to the screenshot below.

The screen contains the following sections:

  • Left Navigation pane: contains a list of all the parsers.
  • Details pane: contains the meta details for the selected parser.


This tool offers the flexibility to search for meta keys, data type, etc. as shown in the image below.

In the above screen, we have searched for ipv4, and three occurrences were found; note that the search is case insensitive.


Screen Reference















Parser Name/Version



Left Navigation Pane, and Details Panedisplays Parser Name and Version








A free text search box that you can use to filter results








Show/Hide Columns



Drop down menu from each Column Header allows you to display or hide column




Column Reference

The following table describes each of the available columns that contain the meta data for the parsers.


Column Name


Investigation Display Name

The value displayed in Investigation Page of RSA NetWitness  UI for each Meta

Parser Metakey(occurrences)

Meta key as used in the Parser and its count in parenthesis. For example, for the


aix parser, the saddr meta key occurs 151 times in the parser definition

SA Metakey

Corresponding Meta Name for the meta key in parser definition. Meta Name is used


in RSA NetWitness  Suite

Metakey Description

The description for the key.


The data type of a meta key, as listed in the default table map.xml.

TableMap Indexed

Whether or not the key is indexed in the table map.


The following examples show the table map details for indexed


and non-indexed meta:
















Not Indexed: <mapping












Whether or not the key is available in the default index-concentrator.xml.


We hope you find this tool useful and welcome any feedback or suggestions for improvement.  Please feel free to leave any constructive feedback in the comments below!