Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Naushad Kasu

RSA NetWitness Platform

2 Posts authored by: Naushad Kasu Employee

Although the RSA NetWitness platform gives administrators visibility into system metrics through the Health & Wellness Systems Stats Browser, we currently do not have a method to see all storage / retention across our deployment in a single instance or view.


Below you will find several scripts that will help us gain this visibility quickly and easily.


Update: Please grab the latest version of the script, some bugs were discovered that were fixed.


How It Works:


1. Dependency: (attached) both v10 and v11 version for your particular environment. Please run this script prior to running the as it requires the 'all-systems' file which contains all of your appliances & services.

2. We then read through the all-systems file and look for services that have retention e.g. EndpointLogHybrid, EndpointHybrid, LogHybrid, LogDecoder, Decoder, Concentrator, Archiver.

3. Finally we use the 'tlogin' functionality of NwConsole to allow cert-based authentication, thus, no need to run this script with username/password as input to pull database statistics and output the retention (in days) for that particular service.




1. Run ./ (for 10.x systems) or ./ (for 11.x systems)

    NOTE: Make sure to grab the 11.4 version of the backup scripts if you are running NetWitness 11.4+

2. Run ./  (without any arguments). This MUST be run from Puppetmaster (v10) or Node0 (v11).


Sample Run: 


Please feel free to provide feedback, bug reports etc...

Often times, Administrators and Content Managers alike need more information regarding their current parser status (both Logs and Network [formerly Packets]). There is an older, fancier interface for Log parser meta keys located here:

The script in this blog post is a bit more real-time and allows you to gain some additional visibility into your meta keys.




Please ensure you have run the on your SA Server (10.x) or NW Server / Node0 (v11). The script requires access to downstream services using SCP for the log parsing functionality.




Log Parser -> Meta Key Mapping:
When run in Log mode with a specific parser as a parameter, this will output all of the meta keys used in that parser. It will also output the format and whether that key is "Passed to the Concentrator", that is, if the key has flag set to is Transient (not passed to Concentrator in the session) or None (passed to the Concentrator).


Network Parser -> Meta Key Mapping:
When run in Network mode with IP of the Network Decoder, will output all of the Enabled parsers with its respective keys.

White = Enabled
Yellow = Transient
Red = Disabled




To run in Log mode:
Example: ./ -l <PARSER NAME> -i <LOG DECODER IP>
Example: ./ -l rhlinux -i


To run in Network mode:
Example: ./ -n -i <NETWORK DECODER IP>
Example: ./ -n -i

Sample Output


Log Parser -> Meta Key Mapping


Network Parser -> Meta Key Mapping


Filter Blog

By date: By tag: