000037837 - "Recent" queries do not show in Investigate > Navigate in RSA NetWitness version

Document created by RSA Customer Support Employee on Aug 19, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037837
Applies ToRSA Product Set: NetWitness Logs & Network
RSA Product/Service Type: NetWitness UI
RSA Version/Condition:
Platform: CentOS
O/S Version: 7
IssueIn RSA NetWitness version, the "Recent" queries do not appear in Investigate > Navigate.
ResolutionThe issue will be fixed in
Until the fix becomes available, please apply the workaround below.
  1. Run the following commands from an SSH session of the node zero server:

    # mongo investigate-server -u deploy_admin -p <mongo password> --authenticationDatabase admin 

    > db.predicate.drop() 

    > db.userPredicate.drop() 

    > exit

    - The "predicate" collection contains the queries ran.
    - The "userPredicate" collection contains the users who ran each query. 
    - By dropping both collections, it clears out who ran which query. 
  2. Log in to the RSA NetWitness UI and check within Investigate > Navigate if the "Recent" queries are being saved.

NotesIf needed, to find the <mongo password> above, run the following command from an SSH session of the node zero server: 

# security-cli-client --get-config-prop --prop-hierarchy nw.security-client --prop-name platform.deployment.password --quiet

If this does not solve your issue, please open a case with RSA Technical Support and reference this article so that we may better assist you.