Article Content
Article Number | 000037167 |
Applies To | RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: Admin Server RSA Version/Condition: 11.2.1.0 Platform: CentOS 7 |
Issue | When investigating against a device, the "Unable to Drill Down Error" is displayed after upgrading from 11.2.1.0 or when a submitted query is completely altered after hitting Apply in Investigation.![]() |
Cause | This problem appears to affect customers who were previously on version 10.6 at one point and have updated to 11.2.1.0. A possible cause of this error is due to a couple of index counters in the Mongo Database being reset as a result of the upgrade. The counter normally increments as users create queries in Investigation but after the upgrade the number has reset its self. As we try to create new queries in the system, it attempts to use a index value that already exists, thus throws an error that can be seen in the /var/netwitness/uax/logs/sa.log file on the Admin Server.
|
Workaround | SCRIPT: We have provided a script to correct the database fields that may be the cause of the issue. If you take the zip file attached to this case, unzip it, and run the javascript file, it will do the same as the manual steps listed below. You will still need to stop and start the jetty service before and after running the script. Note, you will need the deployment password to do these steps and you will need to temporarily bring down the web server. The below includes all of the commands you would need to unzip, stop jetty, execute the provided script, and then start the UI back up.
MANUAL: This option is available to customers who cannot use the script or would rather prefer to do it manually. This article will walk you through how to reset the predicate and userPredicate table counters to the appropriate value. First off, you should stop jetty to ensure that no users continue to make queries while we make our changes. Please note that by doing this you are stopping the User Interface.
Export a copy of the collection we are going to modify just in case a mistake is made so that we can restore. Note, the password for you database is your deployment password. In my case, it is "netwitness".
Then we shall login to make our changes.
First, we need to identify what is the largest index value that exists in the userPredicate collection.
Running this command will return something like this. Take note of the _id field.
Now, we shall attempt to update the counter for userPredicate with the ID value plus 1. Because my value was 41, I want to use 42.
Next, we shall repeat the same process but instead for predicate:
Thus, using the same logic, we will want to use 57:
Once this is finished, you may start jetty backup and check and see if the problem still persists.
|
Notes | If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you. |