Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000038309 - ESA Rule Syntax Error when using the meta "index" to lowercase

Document created by RSA Customer Support

on Jan 3, 2020

Version 1Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000038309
Applies To	RSA Product Set: RSA NetWitness Platform RSA Version/Condition: 11.3.x, 11.4.x
Issue	Whenever the customers create an ESA Rule using the Rule Builder or Advanced EPL with the index.toLowerCase they receive a syntax error; For example, the below sample rule generates an Error - Syntax error in module. Incorrect syntax Sample Rule - @Name('Module_xxxxxxxxxxx_Alert') @Description('') @RSAAlert(oneInSeconds=0) SELECT * FROM Event( /* Statement: NEW / (index.toLowerCase() LIKE '%toto%') ); Error -* Syntax error in module. Incorrect syntax near '(' expecting a closing parenthesis ')' but found an opening parenthesis '(' at line 6 column 30, please check the filter specification within the from clause [@Name('Module_xxxxxxxxxxx_Alert') @Description('') @RSAAlert(oneInSeconds=0) SELECT * FROM Event( /* Statement: NEW */ (index.toLowerCase() LIKE '%toto%') )] Index is listed as a string in the meta key definitions. The main reason for this behavior is that index is a keyword in EPL, so it cannot be used as a meta parsed in lowercase.
Resolution	A workaround is available for RSA NetWitness Platform version 11.3.x onwards, If a customer wants to use index meta with lowercase functionality they can declare 'index' meta under 'lowercase' field in the Correlation Server Explore view and use 'index_lower' in the ESA rule which will have a lowercase value of index meta. It is always recommended to identify the meta that needs lowercase functionality and add it under lowercase field to improve the performance. Steps to add index meta to lowercase - Navigate to Admin-> Services-> ESA Correlation ->Explore Under Explore go to correlation->stream and add meta (in this case index) under lowercase field Go to Configure->ESA Rules->Settings ->Meta Key References and click on 'Meta Re-sync ' button Then edit the ESA rule and use 'index_lower' instead if 'index' as the meta key. An ESA Rule with the above workaround will be shown as - @Name('Module_xxxxxxxxx_Alert') @Description('') @RSAAlert(oneInSeconds=0) SELECT * FROM Event( /* Statement: NEW */ (index_lower LIKE ('%toto%')) );

Attachments

Outcomes

0 Comments