000036092 - Meta filename appears not to be parsed in RSA NetWitness Logs and Packets

Document created by RSA Customer Support Employee on Dec 24, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036092
Applies ToRSA Product Set: NetWitness Logs and Packets
RSA Product/Service Type: Core Appliance
RSA Version/Condition: 10.6.3.0
 
IssueIf we are seeing the meta filename not getting parsed then the reason might be the flag value is not the correct one:

<mapping envisionName="filename" nwName="filename" flags="File" envisionDisplayName="Filename|FileName"/>

 
CauseSince the flag value for the filename is not the correct one, we are not seeing the filename getting parsed for certain event sources.
Resolution
To resolve this:
  1. Step 1: Change the flag value to "None", make the changes the by copying the tag from table-map.xml:
    <mapping envisionName="filename" nwName="filename" flags="File" envisionDisplayName="Filename|FileName"/>

    And paste it in table-map-custom.xml:

    <mapping envisionName="filename" nwName="filename" flags="None" envisionDisplayName="Filename|FileName"/>
     
  2. Step 2: Restart the decoder service, you should then be able to see the filename meta.

Attachments

    Outcomes