000037712 - In RSA NetWitness version 11.3.x, queries in Investigate > Navigate are automatically modified

Document created by RSA Customer Support Employee on Jul 16, 2019Last modified by RSA Customer Support Employee on Aug 6, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000037712
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness UI
RSA Version/Condition: 11.3.x
Platform: CentOS
O/S Version: 7
IssueWhen attempting to run a query in Investigate > Navigate within the RSA NetWitness UI and pressing "Apply," the query is automatically modified to a different query that was not originally entered and provides different data.
WorkaroundThis workaround is due to whenever a query is executed that is automatically modified, it fetches the incorrect ID for that query from the list within the URL Integrations page, which is why the query is modified.
  1. On node zero, log into mongo.

    mongo admin -u deploy_admin -p <password>

  2. Display the list of databases and choose the investigate-server database.

    > show dbs
    > use investigate-server

  3. Run the following command, which will retain any old queries previously ran in Investigation. However, if you have previously bookmarked any URL's from Investigation, such as "https://<sa_ip>/investigation/18/navigate/values/1284", the bookmarks will no longer be valid, as the ID's associated with the old queries (in this example: 1284) will not work. 

    > db.getCollection('predicate').updateMany({}, {$unset: {"legacyId": ""}})

NotesIf this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.