Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000037712 - In RSA NetWitness version 11.3.x, queries in Investigate > Navigate are automatically modified

Document created by RSA Customer Support

on Jul 16, 2019•Last modified by RSA Customer Support

on Aug 6, 2019

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000037712
Applies To	RSA Product Set: NetWitness Logs & Network RSA Product/Service Type: NetWitness UI RSA Version/Condition: 11.3.x Platform: CentOS O/S Version: 7
Issue	When attempting to run a query in Investigate > Navigate within the RSA NetWitness UI and pressing "Apply," the query is automatically modified to a different query that was not originally entered and provides different data.
Workaround	This workaround is due to whenever a query is executed that is automatically modified, it fetches the incorrect ID for that query from the list within the URL Integrations page, which is why the query is modified. On node zero, log into mongo. mongo admin -u deploy_admin -p <password> Display the list of databases and choose the investigate-server database. > show dbs > use investigate-server Run the following command, which will retain any old queries previously ran in Investigation. However, if you have previously bookmarked any URL's from Investigation, such as "https://<sa_ip>/investigation/18/navigate/values/1284", the bookmarks will no longer be valid, as the ID's associated with the old queries (in this example: 1284) will not work. > db.getCollection('predicate').updateMany({}, {$unset: {"legacyId": ""}})
Notes	If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.

Attachments

Outcomes

0 Comments

Recommended Content

Incoming Links

Recently Published Knowledge Base Articles for RSA NetWitness® Logs & Network