000038309 - ESA Rule Syntax Error when using the meta "index" to lowercase

Document created by RSA Customer Support Employee on Jan 3, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038309
Applies ToRSA Product Set: RSA NetWitness Platform
RSA Version/Condition: 11.3.x, 11.4.x
 
IssueWhenever the customers create an ESA Rule using the Rule Builder or Advanced EPL with the index.toLowerCase they receive a syntax error;

For example, the below sample rule generates an Error - Syntax error in module. Incorrect syntax

Sample Rule - 


@Name('Module_xxxxxxxxxxx_Alert')
 @Description('')
 @RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
 /* Statement: NEW */
 (index.toLowerCase() LIKE '%toto%')
 
 );


Error -  


Syntax error in module. Incorrect syntax near '(' expecting a closing parenthesis ')' but found an opening parenthesis '(' at line 6 column 30, please check the filter specification within the from clause [@Name('Module_xxxxxxxxxxx_Alert')
 @Description('')
 @RSAAlert(oneInSeconds=0)
 SELECT * FROM Event(
 /* Statement: NEW */
 (index.toLowerCase() LIKE '%toto%')
 
 )]



Index is listed as a string in the meta key definitions. 

The main reason for this behavior is that index is a keyword in EPL, so it cannot be used as a meta parsed in lowercase. 
ResolutionA workaround is available for RSA NetWitness Platform version 11.3.x onwards, If a customer wants to use index meta with lowercase functionality they can declare 'index' meta under 'lowercase' field in the Correlation Server Explore view and use 'index_lower' in the ESA rule which will have a lowercase value of index meta. It is always recommended to identify the meta that needs lowercase functionality and add it under lowercase field to improve the performance.  

Steps to add index meta to lowercase - 
  1. Navigate to Admin-> Services-> ESA Correlation ->Explore 
  2. Under Explore go to correlation->stream and add meta (in this case index) under lowercase field 
  3. Go to Configure->ESA Rules->Settings ->Meta Key References and click on 'Meta Re-sync ' button 

Then edit the ESA rule and use 'index_lower' instead if 'index' as the meta key.

An ESA Rule with the above workaround will be shown as  - 
 

@Name('Module_xxxxxxxxx_Alert')
 @Description('')
 @RSAAlert(oneInSeconds=0)
SELECT * FROM Event(
 /* Statement: NEW */
 (index_lower LIKE ('%toto%'))
 
 );
 

Attachments

    Outcomes